Username should be able to be an email address #1816

Closed
opened 2025-11-02 04:14:09 -06:00 by GiteaMirror · 15 comments
Owner

Originally created by @keleathi on GitHub (May 23, 2018).

  • Gitea version (or commit ref): 1.4.1
  • Git version: 2.17.0
  • Operating system: FreeBSD
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • [X ] Not relevant
  • Log gist:
    Failed to login 'user@domain.com' via 'ldap2.domain.local': Invalid pattern for attribute 'username' [user@domain.com]: must be valid alpha or numeric or dash(-_) or dot characters

Description

Users in my ldap directory only have a full email address as their "uid" and therefore their username (for several reasons). I cannot get gitea to function in such an environment, because of the following check in login_source.go:

if binding.AlphaDashDotPattern.MatchString(sr.Username) {
return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", sr.Username)
}

It would be wonderful if the check allowed for "@" characters as well.

Thank you!
...

Screenshots

Originally created by @keleathi on GitHub (May 23, 2018). <!-- 1. Please speak English, this is the language all of us can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.4.1 - Git version: 2.17.0 - Operating system: FreeBSD - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [ ] MSSQL - [X] SQLite - Can you reproduce the bug at https://try.gitea.io: - [ ] Yes (provide example URL) - [ ] No - [X ] Not relevant - Log gist: Failed to login 'user@domain.com' via 'ldap2.domain.local': Invalid pattern for attribute 'username' [user@domain.com]: must be valid alpha or numeric or dash(-_) or dot characters ## Description Users in my ldap directory only have a full email address as their "uid" and therefore their username (for several reasons). I cannot get gitea to function in such an environment, because of the following check in login_source.go: > if binding.AlphaDashDotPattern.MatchString(sr.Username) { > return nil, fmt.Errorf("Invalid pattern for attribute 'username' [%s]: must be valid alpha or numeric or dash(-_) or dot characters", sr.Username) > } It would be wonderful if the check allowed for "@" characters as well. Thank you! ... ## Screenshots <!-- **If this issue involves the Web Interface, please include a screenshot** -->
GiteaMirror added the type/proposaltype/enhancement labels 2025-11-02 04:14:09 -06:00
Author
Owner

@benyanke commented on GitHub (Jun 5, 2018):

Thought: perhaps this should be a boolean option, since it could break other things.

@benyanke commented on GitHub (Jun 5, 2018): Thought: perhaps this should be a boolean option, since it could break other things.
Author
Owner

@sbstp commented on GitHub (Jun 5, 2018):

What would the users slug be in the URLs? gitea.com/email@domain.com/<repo>? I think there are allowed characters in email addresses that are not allowed in URLs.

@sbstp commented on GitHub (Jun 5, 2018): What would the users slug be in the URLs? `gitea.com/email@domain.com/<repo>`? I think there are allowed characters in email addresses that are not allowed in URLs.
Author
Owner

@chossimbaone commented on GitHub (Jun 18, 2018):

This will also be nice for multi forrest ad users.

@chossimbaone commented on GitHub (Jun 18, 2018): This will also be nice for multi forrest ad users.
Author
Owner

@clarfonthey commented on GitHub (Jun 21, 2018):

@sbstp are you sure? I'm fairly certain that this could be done.

Mentions for these emails would also work, using @user@domain like Mastodon and other ActivityPub-based systems do.

@clarfonthey commented on GitHub (Jun 21, 2018): @sbstp are you sure? I'm fairly certain that this could be done. Mentions for these emails would also work, using @user@domain like Mastodon and other ActivityPub-based systems do.
Author
Owner

@techknowlogick commented on GitHub (Jun 21, 2018):

Federation is currently being worked on (via a separate working group), and so this is something that will need to be evaluated in that context, as if emails are allowed, how would we mention across instances if an account on one instance is an email, especially if it contains a domain that doesn't match the domain of the git server.

@techknowlogick commented on GitHub (Jun 21, 2018): Federation is currently being worked on (via a separate working group), and so this is something that will need to be evaluated in that context, as if emails are allowed, how would we mention across instances if an account on one instance is an email, especially if it contains a domain that doesn't match the domain of the git server.
Author
Owner

@tommie commented on GitHub (Oct 29, 2018):

I have reverse proxy authentication set up. My Apache uses OpenID Connect, and I use it as SSO for a bunch of personal things.

When I use a Google identity, the default for mod_auth_openidc is to use "sub" as the remote user, which is a long integer and domain: 9999999999999999@accounts.google.com

I've changed it to use the "email" claim instead, which means it still contains an @-sign.

Whenever I go to my profile page (for either of them) and try to change my username, it seems a new user is created. When I try to change anything else (and leaving username alone), it rejects it saying the username is invalid.

It would indeed be nice to make that work. Since I want auto-registration (and handle authorization in Apache), I can't guarantee user-ID uniqueness except if it includes the domain.

@tommie commented on GitHub (Oct 29, 2018): I have reverse proxy authentication set up. My Apache uses OpenID Connect, and I use it as SSO for a bunch of personal things. When I use a Google identity, the default for mod_auth_openidc is to use "sub" as the remote user, which is a long integer and domain: 9999999999999999@accounts.google.com I've changed it to use the "email" claim instead, which means it still contains an @-sign. Whenever I go to my profile page (for either of them) and try to change my username, it seems a new user is created. When I try to change anything else (and leaving username alone), it rejects it saying the username is invalid. It would indeed be nice to make that work. Since I want auto-registration (and handle authorization in Apache), I can't guarantee user-ID uniqueness except if it includes the domain.
Author
Owner

@lafriks commented on GitHub (Oct 30, 2018):

that should probably be handled in oauth instead by for example replacing @ sign with - or something like that

@lafriks commented on GitHub (Oct 30, 2018): that should probably be handled in oauth instead by for example replacing `@` sign with `-` or something like that
Author
Owner

@realslacker commented on GitHub (Jan 7, 2020):

Maybe it would work to change just the sanitizeUserDN to replace all instances of %s instead of just using sprintf for the first. Then you could use an LDAP filter like:

(&(objectClass=user)(|(sAMAccountName=%s)(UserPrincipalName=%s)(mail=%s)))
@realslacker commented on GitHub (Jan 7, 2020): Maybe it would work to change just the [sanitizeUserDN](https://github.com/go-gitea/gitea/blob/940636863370855f39688ddf0aae41667ac8935c/modules/auth/ldap/ldap.go#L195) to replace all instances of %s instead of just using sprintf for the first. Then you could use an LDAP filter like: (&(objectClass=user)(|(sAMAccountName=%s)(UserPrincipalName=%s)(mail=%s)))
Author
Owner

@wilful commented on GitHub (Jan 24, 2020):

I have a similar problem. My LDAP has Mail and userPrincipalName. I do like this:

User Filter: (|(userPrincipalName=%[1]s)(mail=%[1]s))
username: userPrincipalName

userPrincipalName like as name.secondname@domain.ltd
mail like as sn_name@domain.ltd

After that, the user can log in by mail of the form: sn_name@domain.ltd
Username is userPrincipalName, i.e. Link to the profile is obtained as follows:
https://git.domain.ltd/name.secondname@domain.ltd
And this works, but if I try to use userPrincipalName with login, I get:

2020/01/24 12:44:31 ...dels/login_source.go:717:UserSignIn() [W] Failed to login 'name.secondname@domain.ltd' via 'LDAP': Invalid pattern for attribute 'username' [name.secondname@domain.ltd]: must be valid alpha or numeric or dash(-_) or dot characters

@wilful commented on GitHub (Jan 24, 2020): I have a similar problem. My LDAP has Mail and userPrincipalName. I do like this: > User Filter: (|(userPrincipalName=%[1]s)(mail=%[1]s)) > username: userPrincipalName userPrincipalName like as name.secondname@domain.ltd mail like as sn_name@domain.ltd After that, the user can log in by mail of the form: sn_name@domain.ltd Username is userPrincipalName, i.e. Link to the profile is obtained as follows: https://git.domain.ltd/name.secondname@domain.ltd And this works, but if I try to use userPrincipalName with login, I get: > 2020/01/24 12:44:31 ...dels/login_source.go:717:UserSignIn() [W] Failed to login 'name.secondname@domain.ltd' via 'LDAP': Invalid pattern for attribute 'username' [name.secondname@domain.ltd]: must be valid alpha or numeric or dash(-_) or dot characters
Author
Owner

@bipinmathew commented on GitHub (Apr 21, 2020):

Was this functionality lost again? I was able to use LDAP emails as user-ids in version 1.7.0, but when I upgraded to version 1.12.0+dev-171-g12960b9d1 it does not seem to work any more, and with the same error:

Error creating user @: User name is invalid [@]: must be valid alpha or numeric or dash(-_) or dot characters

@bipinmathew commented on GitHub (Apr 21, 2020): Was this functionality lost again? I was able to use LDAP emails as user-ids in version 1.7.0, but when I upgraded to version 1.12.0+dev-171-g12960b9d1 it does not seem to work any more, and with the same error: > Error creating user <email>@<domain>: User name is invalid [<email>@<domain>]: must be valid alpha or numeric or dash(-_) or dot characters
Author
Owner

@ceelian commented on GitHub (May 28, 2020):

Any news on this topic for version 1.12?

@ceelian commented on GitHub (May 28, 2020): Any news on this topic for version 1.12?
Author
Owner

@zeripath commented on GitHub (May 29, 2020):

@voidbip yes unfortunately the functionality had to be lost due to a security issue with it.

What we need to do is allow LDAP to provide a mapping function from an email address to a username.

@zeripath commented on GitHub (May 29, 2020): @voidbip yes unfortunately the functionality had to be lost due to a security issue with it. What we need to do is allow LDAP to provide a mapping function from an email address to a username.
Author
Owner

@LeDevAlsacien commented on GitHub (Sep 7, 2021):

Hello, i'm trying to use our LDAP as authentification.

the user usually use email to authenticate and we can't use UID as is one letter and digit (ex: r160459) so the user can't remember that kind of information.

Any news for future version of gitea ?

thanks !

Edit: found a workaround, we have an LDAP attribute that we can use with "Name.GivenName" that work pretty well 👍

@LeDevAlsacien commented on GitHub (Sep 7, 2021): Hello, i'm trying to use our LDAP as authentification. the user usually use email to authenticate and we can't use UID as is one letter and digit (ex: r160459) so the user can't remember that kind of information. Any news for future version of gitea ? thanks ! Edit: found a workaround, we have an LDAP attribute that we can use with "Name.GivenName" that work pretty well 👍
Author
Owner

@wxiaoguang commented on GitHub (Sep 7, 2021):

Years ago, I also used E-mail as username in LDAP and other systems. Then I have to admit that this is one of most bad mistakes I have made. Using E-mail as username leads to various problems. Then our team spent more time to migrate the account system from E-mail username to regular username.

Even if you have different companies/organizations/domains, even if you want to use different domains for E-mails, do not use E-mail as username. You can have a unique regular username in you system and map it to different E-mails.

So I would always down vote for the E-mail as username decision (of course, you can login via E-mail address which is mapped to a regular username).

@wxiaoguang commented on GitHub (Sep 7, 2021): Years ago, I also used E-mail as username in LDAP and other systems. Then I have to admit that this is one of most bad mistakes I have made. Using E-mail as username leads to various problems. Then our team spent more time to migrate the account system from E-mail username to regular username. Even if you have different companies/organizations/domains, even if you want to use different domains for E-mails, do not use E-mail as username. You can have a unique regular username in you system and map it to different E-mails. So I would always down vote for the E-mail as username decision (of course, you can login via E-mail address which is mapped to a regular username).
Author
Owner

@techknowlogick commented on GitHub (Sep 9, 2021):

Closing per reasons above

@techknowlogick commented on GitHub (Sep 9, 2021): Closing per reasons above
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#1816