Improve options to get user's email address after sign up / authentication

Question

Improve options to get user's email address after sign up / authentication

FlxMgdnz opened this issue 10 months ago · comments

Checklist

I could not find a solution in the existing issues or docs.
I agree to follow this project's Code of Conduct.

Description

Currently, the only way to get a (new) user's email is through user.getCurrent provided by the frontend-sdk. It seems that this is not immediately clear when using Hanko.

When building an integration with Hanko, the email address is basically always required to do the check if a user is new and needs to be created in the app, or if it's an existing user.

Let's think about improving this situation by maybe including the (primary) email address in relevant events such as onAuthFlowCompleted or even add the email claim to the jwt (seems like this is the most desired approach).

Describe your ideal solution

No response

Workarounds or alternatives

No response

Hanko Version

0.8.3

Additional Context

No response

Nikita · Answer 1 · Mon Sep 11 2023 18:44:50 GMT+0800 (China Standard Time)

even add the email claim to the jwt

If this has no security risk, I don't think it should. I would really appreciate this addition.

I would like to just send the Hanko token to my backend endpoints and instantly decode the user email inside the token without doing any further calls to Hanko servers.

Or do what I plan to do now and have to store user email in local storage after sign up happens. Then send user email with every single request alongside the token. Then if at any point, hanko token is expired, in front end, I clear the local storage, then tell users to auth again to get both the token and user email into local storage.

If I could just send the token in Authorization header to endpoints and then decode email from token only, it would simplify the app quite a lot.

Alex Fong · Answer 2 · Mon Sep 11 2023 21:54:14 GMT+0800 (China Standard Time)

Having the user's primary email in the JWT would be very useful for backend user validation. Having to make a secondary, synchronous request to convert the payload.sub to a verified email loses all of the stateless benefits of JWTs.

Getting a user's verified email seems like a popular enough use case to justify the added JWT payload weight. Perhaps this could be enabled via an admin configuration option to populate the JWT with an email field?

Felix B. Bause · Answer 3 · Mon Sep 18 2023 16:57:46 GMT+0800 (China Standard Time)

When building an integration with Hanko, the email address is basically always required to do the check if a user is new and needs to be created in the app, or if it's an existing user.

You should use the uuid of the user in the jwts sub field to determine if you already know the user. The primary email address can be changed.

Felix Magedanz · Answer 4 · Wed Oct 04 2023 18:29:45 GMT+0800 (China Standard Time)

A good solution would be to include the user object in onAuthFlowCompleted