Feature Proposal: AllowLoginUsingEmailAddress

Motivation

Allow users to template login using either their username, or their email address.

Most UserMappings store email addresses, so why not use them to test the password against too.

This change to the template login code tests the password as a login, and if that fails, tried each user with the email address - so if the same email is used for 4 users, you will be logged in as the first user that has that password.

Description and Documentation

diff --git a/core/lib/Foswiki.spec b/core/lib/Foswiki.spec
index fba9b85..73ece1a 100644
--- a/core/lib/Foswiki.spec
+++ b/core/lib/Foswiki.spec
@@ -435,6 +435,11 @@ $Foswiki::cfg{AuthScripts} = 'attach,compareauth,edit,manage,previewauth,rdiffau
 # every time.
 $Foswiki::cfg{TemplateLogin}{PreventBrowserRememberingPassword} = 0;
 
+# **BOOLEAN EXPERT DISPLAY_IF {LoginManager}=='Foswiki::LoginManager::TemplateLogin'**
+# Allow a user to log in to foswiki using the email addresses known to the password 
+# system.
+$Foswiki::cfg{TemplateLogin}{AllowLoginUsingEmailAddress} = 0;
+
 # **REGEX EXPERT**
 # The perl regular expression used to constrain user login names. Some
 # environments may require funny characters in login names, such as \.
diff --git a/core/lib/Foswiki/LoginManager/TemplateLogin.pm b/core/lib/Foswiki/LoginManager/TemplateLogin.pm
index 7a8eb3a..0bc7988 100755
--- a/core/lib/Foswiki/LoginManager/TemplateLogin.pm
+++ b/core/lib/Foswiki/LoginManager/TemplateLogin.pm
@@ -183,6 +183,24 @@ sub login {
     if ($loginName) {
         my $validation = $users->checkPassword( $loginName, $loginPass );
         $error = $users->passwordError();
+        
+        if (!$validation && 
+            $Foswiki::cfg{TemplateLogin}{AllowLoginUsingEmailAddress}  && 
+            ($loginName =~ $Foswiki::regex{emailAddrRegex})) {
+            #try email addresses if it is one
+            my $cuidList = $users->findUserByEmail( $loginName );
+            foreach my $cuid (@$cuidList) {
+                my $login = $users->getLoginName($cuid);
+
+                $validation = $users->checkPassword( $login, $loginPass );
+                if ($validation) {
+                    $loginName = $login;
+                    last;
+                }
+                #this might reveal someone else's username, so using the first failure message
+                #$error = $users->passwordError();
+            }        
+        }
 
         if ($validation) {
 diff --git a/core/lib/Foswiki/Users/HtPasswdUser.pm b/core/lib/Foswiki/Users/HtPasswdUser.pm
index 4ef7eb0..5407fa4 100644
--- a/core/lib/Foswiki/Users/HtPasswdUser.pm
+++ b/core/lib/Foswiki/Users/HtPasswdUser.pm
@@ -771,8 +771,8 @@ sub findUserByEmail {
     # read passwords with shared lock
     my $db = $this->_readPasswd(1);
     while ( my ( $k, $v ) = each %$db ) {
-        my %ems = map { $_ => 1 } split( ';', $v->{emails} );
-        if ( $ems{$email} ) {
+        my %ems = map { lc($_) => 1 } split( ';', $v->{emails} );
+        if ( $ems{lc($email)} ) {
             push( @$logins, $k );
         }
     }

Examples

Impact

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: SvenDowideit - 09 Aug 2012

Discussion

This also changes the htpassword and topic user mapper to look up email->user case insensitivly

I note that the configure admin can't use their email address :/

-- SvenDowideit - 09 Aug 2012

I like it!

-- CrawfordCurrie - 09 Aug 2012

Nice. I guess it means that email adresses can also be used as members of WikiGroups?

-- ColasNahaboo - 14 Aug 2012

Colas - no, that'd be more complicated - go on, make a feature request for it

-- SvenDowideit - 18 Oct 2012

Does this mean you can enter your email address instead of user name to log in?

-- ArthurClemens - 18 Oct 2012

sorry, yes, I've updated the motivation to be more explicit - in 1.2.0, users will be able to login using either the username, or the email address - if using template login.

-- SvenDowideit - 18 Oct 2012

ok, so this needs to be changed in the template text as well - it's already done

-- ArthurClemens - 18 Oct 2012

Is password reset also possible with email?

-- ArthurClemens - 18 Oct 2012

What happens if multiple accounts share the same email address? Which password is used? Which account is logged in? Should we enforce unique email addresses if this feature is enabled?

-- GeorgeClark - 02 Nov 2012

Commenting is disabled while not logged in