fix(registration and update): Ensure UID is updated alongside Email, and case-sensitivity is honored

[booleanbetrayal]

@lynndylanhurley -

I missed a registrations_controller::create condition in #57 and fixed that. However, in additional testing I also discovered that uid was not being updated alongside email address, meaning from an authentication standpoint, the uid would never update to reflect the user's desired address change. I swore this worked at some point, but perhaps it broke recently as a result of being more resource friendly? I've added fixes and tests for both conditions, but it's arguable that uid should be abandoned entirely when using email based authentication (would require changes in sessions_controller as well any other place uid is explicitly referenced).

I've found another problem that arises from correctly updating uid though, as ng-token-auth is not context-aware of these updates and will preserve the old uid value in the auth_tokens hash. Meaning, after updating their email address and subsequently hitting a restricted HTTP call, the user will immediately be logged out. This is something that will probably have to happen in the response interceptor logic.

Let me know what your thoughts are. I can workaround it in client code as needed for now.

[lynndylanhurley]

I get what you're saying about the uid value not being necessary for email, but removing it may cause other problems.

Currently, these are all the headers needed to identify a user:

• uid
• token
• client
• expiry

If the user is authenticated by both email and uid depending on the context (OAuth or email), then we need to add another header (provider or something) to let Rails know which attribute to search for users by.

Can we just add something like this to the User model concern?

before_save :sync_uid

def sync_uid
  uid = email if email.changed? and provider == 'email'
end

This would keep the user's uid in sync with their email, and I think it will keep the headers up-to-date as well.

[booleanbetrayal]

Sure thing. Let me tweak my PR a bit.

[booleanbetrayal]

There you go @lynndylanhurley !

I didn't retain the email_changed? check because the user concern explicitly overrides that for some reason. Maybe a comment explaining why would be useful there. Let me know if there are any other tweaks you think I should make.

[lynndylanhurley]

Awesome, thx! I'll review this ASAP!

[booleanbetrayal]

Hey @lynndylanhurley - Was wondering if you had any feedback for this PR or lynndylanhurley/ng-token-auth#64

[lynndylanhurley]

Hey @booleanbetrayal! Sorry for the delay. I haven't forgotten, I've just been super busy. I'll review + merge today for sure!

[booleanbetrayal]

No worries! Just let me know if you need any tweaks or anything. Thanks!

[lynndylanhurley]

Looks great! Thx @booleanbetrayal!!!

[lynndylanhurley]

Version 0.1.30.beta6 includes these fixes. I'll out the 0.1.30 final release on Monday - let me know if you find any more bugs before then!

[booleanbetrayal]

Sweet. Thanks @lynndylanhurley !