Greetings! Is it possible to Auth with a Username and Password?
I see that that email Auth allows me to set the user’s Username when the account is created, but I presume for subsequent logins the user will still need to provide their email and password.
What I would like:
On first time login→ User completes a “new account” flow and provies Username, Email, and Password. username and email are confirmed to be unique, then the account is created.
On subsequent login→ User provides username and password.
I would like to verify the usernames are unique at account creation time, and have the user provider their username rather than their email on subsequent logins. Is this possible?
Thank you!
Hi @Mehoo462,
If you setup an account with email and password, you can also optionally set a username - otherwise one will be generated automatically.
For an existing account, if you provide username + password via the email endpoint (or the respective SDK functions), it’s possible to authenticate without providing the email.
Hope this clarifies
Oh this is fantastic! Exactly what I was hoping for. Is this documented somewhere that I’ve missed?
https://heroiclabs.com/docs/nakama/concepts/authentication/#email
For C++ the function is client->authenticateEmail(email, password, username, create, {}, successCallback, errorCallback);
I can collect the user’s email at account creation time. But if I only have the username at signIn time, do I just send an empty string variable as the email argument?
Thanks!
Yep that should work, if not it may be a bug in the SDK, do let us know.
This worked! Thanks!
Now that I have my auth mostly stood up, I’m noticing some unexpected behaviors.
First, A new user who tries to register with an email that already exists will get “Invalid credentials” which is a wierd message to give at account creation time.
Second, it looks like the username is ignored if email and password are provided. This raises the extremely unlikely, but unsettling case where a new user tries to create an account. They put in their own username, but accidentally type an email and password that matches an existing account. In this case they just get logged in as the other user instead of creating a new account for themselves or getting told “that email already exists”.
Neither of these are huge problems, but they are little strange. Fixing would probably require a separate API for account creation. And validating both email and username if they are both provided.
Could these potentially be abused?
Some of these are side-effects of streamlining the account API into a single endpoint to simplify signing in to be as frictionless as possible, but I’ll respond to each:
On the first issue, I suppose we could improve the error message, but ideally your UI would distinguish between account creation/sign in by setting the create request flag accordingly, and if it’s a creation and an error is returned, you can prompt the user that the email is already taken.
On the second issue, same thing, and you can be clever to disallow this from happening in the client. Regardless, if you guess another user’s email and password, I suppose wouldn’t be any different than mistyping your own username to an existing one and also guessing their password (or having the same), I don’t think there’s much that can be done to prevent such a thing other than having MFA setup, which is something that can be implemented although it’s not supported out-of-the-box.
Best.