Incorrect Google "username" value?

Question

Incorrect Google "username" value?

jkriss opened this issue 7 years ago · comments

It looks like the Google strategy sets both username and name to displayName. Shouldn't username be the primary email address, or at least something unique?

https://github.com/lipp/login-with/blob/master/src/strategies/google.js#L23-L24

Gerhard Preuss · Answer 1 · Wed Aug 02 2017 15:34:58 GMT+0800 (China Standard Time)

Yeah, Google strategy is a bit special:

Normally e.g. on GitHub username=lipp and name=Gerhard Preuss. Likewise with other strategies. However, the username for google probably is the email (e.g. gelipp@gmail.com).

login-with considers email as precious private information which should only be exposed via http-only cookie. username and user in turn are intended for displaying information like:

"hello lipp! welcome back, btw your name is Gerhard Preuss"

without further API calls, so this information should not be http-only to make them available to JS (SPA).

I hope you agree with that decision (you can also downvote this :)).

However, as other people asked for the email to be included in the cookie, i'll create an issue #41 .

Jesse Kriss · Answer 2 · Wed Aug 02 2017 21:29:50 GMT+0800 (China Standard Time)

At least for my purposes, it's fine to keep email out of the profile cookie, as long as it's in the jwt. I do think that username also carries a connotation of uniqueness, but maybe that's a different question.

Gerhard Preuss · Answer 3 · Fri Aug 04 2017 02:17:55 GMT+0800 (China Standard Time)

Yeah, maybe putting the email in the jwt http-only cookie makes sense. So can I close this issue? I'll create an issue for including the email in the jwt.

Jesse Kriss · Answer 4 · Fri Aug 04 2017 02:22:31 GMT+0800 (China Standard Time)

That sounds great to me. Thanks!