Project

General

Profile

Actions

Feature #3956

open

Login by Email

Added by Benson M over 14 years ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
-
Start date:
2009-04-20
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

I was looking at a phpBB MOD and thought this is something good any site with user authentication could use.
It lets you login with your email address, and disallows people registering new usernames that match the emails of previously registered users.


Files


Related issues

Has duplicate Redmine - Feature #3208: Login by EmailClosedChaoqun Zou2009-04-20

Actions
Has duplicate Redmine - Feature #8186: Login/sign-in using either email address or usernameClosed2011-04-19

Actions
Actions #1

Updated by Felix Schäfer almost 14 years ago

  • Category set to Accounts / authentication
  • Assignee deleted (Chaoqun Zou)
Actions #2

Updated by James Robertson about 13 years ago

+1 (see #8186 for more details)

Actions #3

Updated by Robert Claypool about 12 years ago

I vote for this. It would be very useful.

Actions #4

Updated by Latchezar Tzvetkoff about 11 years ago

Hi! We have a heavy-used Redmine install at our company and we've found out that most users get confused with those IRC'ish logins, so we needed to patch email login in.
NB: We maintain a patch set we apply after every update, but we think that most of the people will be happy to have email login provided in the official version.

Here is the diff against trunk:

$ svn diff
Index: app/models/user.rb
===================================================================
--- app/models/user.rb    (revision 11691)
+++ app/models/user.rb    (working copy)
@@ -160,7 +160,13 @@

     # Make sure no one can sign in with an empty login or password
     return nil if login.empty? || password.empty?
-    user = find_by_login(login)
+
+    if login.match(/\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/)
+      user = find_by_mail(login)
+    else
+      user = find_by_login(login)
+    end
+
     if user
       # user is already in local database
       return nil unless user.active?
Actions #5

Updated by F Abu-Nimeh almost 10 years ago

login using email is useful
+1

Actions #6

Updated by Slawomir CALUCH over 9 years ago

+1 I maintain a redmine for freelance and personal projects and friends/customers tend to try using their emails.

A few stopped connecting to redmine due to the unmet expectation.

I think this could be an option in `/settings?tab=authentication`

Actions #7

Updated by Dimitris Vi over 9 years ago

+1

for some people having to remember yet another username is not as trivial as it might sound, and when you use their e-mail as username it is ugly and can even mess with the issues list table's layout

Actions #8

Updated by Pierre Maigne over 9 years ago

+1

As far as I can see, it has very little impact,and I would not need to modify user.rb file at each update :)

Actions #9

Updated by Robert Hailey almost 9 years ago

+1

Actions #10

Updated by Enziin System about 6 years ago

+10000

Actions #11

Updated by Bernhard Rohloff over 5 years ago

+1 This is so common these days and people don't have to remember another login.

Actions #12

Updated by Marius BĂLTEANU over 5 years ago

You can already achieve this by using the same email address as login username (attached a screenshot). IMO, current implementation is flexible enough to cover multiple use cases.

We also need to consider that an user can have multiple email addresses (which makes a possible implementation more complex).

Actions #13

Updated by Bernhard Rohloff over 5 years ago

Marius BALTEANU wrote:

You can already achieve this by using the same email address as login username (attached a screenshot). IMO, current implementation is flexible enough to cover multiple use cases.

If your email address changes you can't change your username which makes it somehow impractical. I also see it more like a second chance to get into your account if you have forgotten your username. It's not particularly a problem of mine but I have users who aren't using Redmine very often and tending to forget their username from time to time.

We also need to consider that an user can have multiple email addresses (which makes a possible implementation more complex).

I think it would be sufficient enough to only check the primary email address.

Actions #14

Updated by Marius BĂLTEANU over 5 years ago

Thanks Bernhard for clarification.

It should be enough to allow users to login by username or email address, right? without any other impact in application. I'm asking because first time when I read this, I understood that we should have a setting to choose between username and email.

Actions #15

Updated by Bernhard Rohloff over 5 years ago

Sorry for my late reply Marius, there seems to be an issue with notification mails on redmine.org.

Marius BALTEANU wrote:

It should be enough to allow users to login by username or email address, right? without any other impact in application.

Yes, that's exactly what I ment. You can find it very often these days for example on GitLab, GitHub, or also on Facebook or Amazon.
It's very convenient to get into your account even if you don't remember your username. I think plan.io has done it the same way, as I can remember.

Actions #16

Updated by Go MAEDA 5 months ago

I think the problem may occur when a user sets another user's email address as their login ID. For example, if there are two users as shown in the table below, which user can sign in with foo@example.com?

id login mail
11 testuser1 foo@example.com
12 foo@example.com testuser2@example.com
Actions #17

Updated by Holger Just 5 months ago

A simple (and consistent) solution could be to find a user fiorst by login and then as a fallback by email address. This could be implemented with just the following patch:

diff --git a/app/models/user.rb b/app/models/user.rb
index 0f78a8937a..67704cd162 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -216,7 +216,7 @@ def self.try_to_login!(login, password, active_only=true)
     # Make sure no one can sign in with an empty login or password
     return nil if login.empty? || password.empty?

-    user = find_by_login(login)
+    user = find_by_login(login) || find_by_mail(login)
     if user
       # user is already in local database
       return nil unless user.check_password?(password)

From the example in #note-16, a user trying to login as foo@example.com would thus be logged in as user 12.

Actions #18

Updated by Marius BĂLTEANU 5 months ago

Is it safer to enable this feature under a new setting in Administration -> Authentication which should turn on / off this behaviour? We can keep the setting disabled for existing installations and enabled for new installations.

Actions #19

Updated by Go MAEDA 5 months ago

Marius BĂLTEANU wrote in #note-18:

Is it safer to enable this feature under a new setting in Administration -> Authentication which should turn on / off this behaviour? We can keep the setting disabled for existing installations and enabled for new installations.

I think Redmine should now allow the creation of a new user that contains '@' in their login ID if the new setting is enabled.

Suppose that there is a user below. User 11 can sign in with testuser1 or foo@example.com.

id login mail
11 testuser1 foo@example.com

If the following user 12 is created, then user 11 will suddenly not be able to sign in with foo@example.com.

id login mail
11 testuser1 foo@example.com
12 foo@example.com foo@example.net
Actions #20

Updated by Heiko Robert 3 months ago

I think Redmine should now allow the creation of a new user that contains '@' in their login ID if the new setting is enabled.

Unfortunately it is possible to create new users having a at-sign in the username. This is always a source of trouble, if this is not the user's email which should be also validated against the email property. I would disallow at-sign in usernames to avoid such inconsistencies.

Anyway - in the current implementation it would be safest to add such a config as suggested to turn on / off using `find_by_mail(login)` on login.

I already patch user.rb since 10 years. Would be nice to avoid that and to close this ticket ;-)

P.S.: You should switch your db character set to not fail on specific utf-characters ...

Actions

Also available in: Atom PDF