[PATCH v2] auth: let users log in using their email address

Mads Kiilerich mads at kiilerich.com
Sat May 16 21:12:20 EDT 2015

On 05/17/2015 02:11 AM, Andrew Shadura wrote:
> Hello,
> On Sun, 17 May 2015 01:50:56 +0200
> Mads Kiilerich <mads at kiilerich.com> wrote:
>>> diff --git a/kallithea/controllers/login.py
>>> b/kallithea/controllers/login.py ---
>>> a/kallithea/controllers/login.py +++
>>> b/kallithea/controllers/login.py @@ -121,9 +121,15 @@ class
>>> LoginController(BaseController): session.invalidate()
>>>                    c.form_result =
>>> login_form.to_python(dict(request.POST)) # form checks for
>>> username/password, now we're authenticated +
>>> +                username = c.form_result['username']
>>> +                if '@' in username:
>>> +                    username = User.get_by_email(username).username
>> This will still fail if the username not is a valid email address?
> No, as this code will never be executed (input rejected by a validator
> first).
> Correct me if I'm wrong, but if I read the code correctly, the check
> here will have no effect (which is why I haven't added it).

Ok. The explanation explains it. The code do however seem fragile and 
non-obvious when reading it. An extra check or a clear comment would help.

Next, my first thought is whether the form validation check somehow 
should rewrite the login ... but that also seems wrong.

My next (and correct?) thought is that it is wrong to use form 
validation for login check. As your patches shows, it is ok that the 
login process _not_ is user friendly. How about dropping the login form 
validation of usernames/password first (perhaps except for "non-empty")? 
What's your thought?


More information about the kallithea-general mailing list