Question about SSO and username/userslug uniqueness

Unsolved Technical Support
  • Similar usernames! Interesting, using levenshtein distance I wonder...?

  • @julian said in Question about SSO and username/userslug uniqueness:

    Similar usernames! Interesting, using levenshtein distance I wonder...?

    I think it is based on Sørensen–Dice coefficient...

  • Yeah, it's Sørensen–Dice - though note that it wasn't really some well considered choice - I implemented it as part of an assignment earlier and just went with it because of that. I thought it might do a bit better than Levenshtein distance from my quick reading of a few articles related to discriminating identity based on username which suggested substring based algorithms are doing better for that task (LCS/GST for example).

    I'll probably add phonetic similarity to the mix in the future, and perhaps actually do some tests to see what makes most sense 🙂
    (and the future is most likely February...)

  • We had similar requirments and ended up with a worflow that allowed the user to change the username rather than the displayname. This works well because the userslug changes along with the username. We lock down the displayname attribute and use that as a holder for the original id. If I recall correctly, we had to modify the session sharing plugin to use the email as the unique identifier to lookup the user.
    All the user profile changes are handled outside of NodeBB in our app so that's something to keep in mind. We also maintain a history of usernames, so no one can appropriate another user's username even as an alias or nickname.

  • @razibal hmm, the session sharing plugin also takes id if provided and uses that as a unique identifier for the user account, so there's no need to use email to distinguish users.

  • Yes but we have no way to know the id from the "outside" when authenticating while we do know the email so it made sense to use the email as the glue between the 2 systems. I suppose we could lookup the id when creating/signing the JWT but ultimately it balances out.

  • @razibal Sounds like we have similar setup but while our profile changes happen outside of Nodebb they also happen outside our website so we don't have a complete list of usernames to check against (unfortunately) otherwise what you describe is the route I would take.

  • @julian @crazycells Is there a hook (or a place where one could be inserted) in the routing where I could hijack the url params and do some conversion of userslugs?

  • @uplift this may or may not work, but the 2factor plugin listens for in order to check if the user has passed 2FA check, and if not, redirects them to the challenge route.

    In your case, you can check the slug, and rewrite the slug as necessary (use helpers.redirect in src/controllers/helpers.js)

  • @julian A quick (hacky) test seems to work. Ill have a deeper dive tomorrow and see if I encounter any issues. Thanks for the hook pointer. 👍

Suggested Topics

| | | |