Remove validation on uniqueness of email adresses and usernames

[jorg-vr]

This pull request removes the uniqueness requirement for email and username within the same institution. Instead of blocking this option, user receive the choice to sign in with their persumed existing account and link them or to create a new account:

• Tests were added

[coderabbitai]

Warning

Rate limit exceeded

@jorg-vr has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 14 minutes and 46 seconds before requesting another review.

How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Commits

Files that changed from the base of the PR and between 2d6e317 and 87f4d6a.

Walkthrough

The pull request introduces significant changes to the authentication process, including the simplification of user identity verification during login by removing checks for duplicate emails associated with providers. The logic for finding user identities has been streamlined, focusing on primary identifiers. Additionally, validation rules for uniqueness of usernames and emails in the User model have been removed, allowing duplicates within institutions. New HTML elements and localization strings have been added to enhance user experience during account creation. A migration has been introduced to modify unique indexes in the database schema.

Changes

File	Change Summary
app/controllers/auth/omniauth_callbacks_controller.rb	Streamlined login logic, removed duplicate email checks, condensed user identity finding logic, and eliminated redirect_duplicate_email_for_provider! method.
app/models/user.rb	Removed uniqueness validations for username and email within the context of an institution.
app/views/auth/redirect_to_known_provider.html.erb	Added new HTML elements for account creation, including headers, paragraphs, and a button linking to the account creation path.
config/locales/views/auth/en.yml	Added new localization strings for account creation guidance in English.
config/locales/views/auth/nl.yml	Added new localization strings for account creation guidance in Dutch.
db/migrate/20240911085152_remove_email_uniqueness.rb	Migration to remove unique indexes for email and username in the users table.
db/schema.rb	Updated schema to reflect the removal of unique indexes on email and username.
test/controllers/auth/omniauth_callbacks_controller_test.rb	Modified tests to focus on email validation, removed outdated Office 365 and Smartschool tests, and added a test for creating a new user with existing email and username.
test/testhelpers/constants.rb	Introduced a new constant EMAIL_REQUIRED_PROVIDERS to specify which providers require an email.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

Outside diff range and nitpick comments (2)

app/models/user.rb (1)

Consider Adding a Database-Level Unique Index for username Scoped to institution_id.

The removal of the uniqueness validation for username within the context of an institution is not currently compensated by a database-level constraint. While there are tests that handle scenarios involving overlapping usernames, these are not sufficient to ensure data integrity across the entire application.

• Recommendation: Add a database-level unique index on the username column scoped to institution_id to enforce uniqueness and prevent potential data integrity issues.
• Test Coverage: Review and potentially expand the test coverage to ensure all scenarios involving overlapping usernames are adequately handled.

Analysis chain

Line range hint 1-1: Verify the impact of removing the uniqueness validation for username.

Removing the validation rule that ensures the uniqueness of username within the context of an institution could lead to the following issues:

• Multiple users within the same institution can have the same username, leading to confusion and difficulty in uniquely identifying users.
• Parts of the application that rely on the uniqueness of username within an institution might break.

Thoroughly test the application to ensure that removing this validation does not introduce any bugs or inconsistencies. Pay special attention to features that rely on the uniqueness of username within an institution.

Consider adding a database-level unique index on the username column scoped to the institution_id to enforce uniqueness at the database level and prevent potential data integrity issues.

Scripts executed

The following scripts were executed for the analysis:

Script:

# Check if there are any existing duplicate usernames within the same institution
echo "SELECT institution_id, username, COUNT(*) FROM users GROUP BY institution_id, username HAVING COUNT(*) > 1;" | rails dbconsole

Length of output: 207

---

Script:

#!/bin/bash
# Search for any database constraints or indexes related to username uniqueness
rg --context 5 'CREATE\s+UNIQUE\s+INDEX' --glob '*.rb' --glob '*.sql'

# Search for any tests that might cover the scenario of duplicate usernames within the same institution
rg --context 5 'username' --glob '*_test.rb' --glob '*_spec.rb'

Length of output: 42982

db/schema.rb (1)

13-13: Use underscores as thousands separators in numeric literals.

rubocop has flagged a convention issue:

[convention] 13-13: Use underscores(_) as thousands separator and separate every 3 digits with them.

To improve code readability, it is recommended to use underscores as thousands separators in numeric literals.

Apply this diff to fix the convention issue:

-ActiveRecord::Schema[7.2].define(version: 2024_09_11_085152) do
+ActiveRecord::Schema[7.2].define(version: 2024_09_11_085_152) do

Tools

rubocop

[convention] 13-13: Use underscores(_) as thousands separator and separate every 3 digits with them.

(Style/NumericLiterals)

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between c3a1c98 and 2d6e317.

Files selected for processing (9)

• app/controllers/auth/omniauth_callbacks_controller.rb (4 hunks)
• app/models/user.rb (1 hunks)
• app/views/auth/redirect_to_known_provider.html.erb (1 hunks)
• config/locales/views/auth/en.yml (1 hunks)
• config/locales/views/auth/nl.yml (1 hunks)
• db/migrate/20240911085152_remove_email_uniqueness.rb (1 hunks)
• db/schema.rb (2 hunks)
• test/controllers/auth/omniauth_callbacks_controller_test.rb (4 hunks)
• test/testhelpers/constants.rb (1 hunks)

Files skipped from review due to trivial changes (1)

• config/locales/views/auth/en.yml

Additional context used

rubocop

db/migrate/20240911085152_remove_email_uniqueness.rb

[convention] 3-3: You can use change_table :users, bulk: true to combine alter queries.

(Rails/BulkChangeTable)

---

[convention] 3-3: remove_index(without column) is not reversible.

(Rails/ReversibleMigration)

---

[convention] 3-3: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 4-4: remove_index(without column) is not reversible.

(Rails/ReversibleMigration)

---

[convention] 4-4: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

db/schema.rb

[convention] 13-13: Use underscores(_) as thousands separator and separate every 3 digits with them.

(Style/NumericLiterals)

Additional comments not posted (13)

test/testhelpers/constants.rb (1)

4-4: LGTM!

The code changes are approved for the following reasons:

• The constant is correctly defined and follows the naming convention.
• The constant is frozen to prevent modifications.
• The constant is defined as a subset of AUTH_PROVIDERS, which is a good practice to maintain consistency and avoid duplication.
• The constant is used to distinguish between authentication providers that require an email and those that don't.
• The constant is defined in the Constants module, which is a good practice to group related constants together.

app/views/auth/redirect_to_known_provider.html.erb (1)

19-24: LGTM!

The changes to the redirect_to_known_provider.html.erb file are approved.

The new section for creating a new account enhances the user interface by providing a clear option to users. The button uses the appropriate POST method to initiate the account creation process. The changes are consistent with the existing code structure and follow the Rails conventions.

config/locales/views/auth/nl.yml (3)

25-25: LGTM!

The code changes are approved.

---

26-26: LGTM!

The code changes are approved.

---

27-27: LGTM!

The code changes are approved.

app/controllers/auth/omniauth_callbacks_controller.rb (3)

Line range hint 134-141: LGTM!

The changes to the try_login! method look good:

• The removal of the duplicate email handling logic simplifies the flow and reduces complexity.
• The addition of the new user confirmation logic improves the user experience by providing a clear choice when a user with the same email is found in another institution.
• The changes align with the PR objective of removing validation on uniqueness of email addresses.

---

222-222: LGTM!

The simplification of the find_identity_by_uid method looks good:

• The removal of the extensive logic for identifying users based on various criteria reduces complexity and improves maintainability.
• The method now focuses solely on the primary identifier, which is a cleaner approach.
• The changes align with the PR objective of simplifying the user identity verification during login.

---

340-342: LGTM!

The addition of lines to store information required for creating a new account or linking the new sign-in method to an existing account looks good:

• The added lines provide necessary information for handling the user's choice to either create a new account or link the new sign-in method to an existing account.
• The changes align with the PR objective of allowing users the flexibility to either sign in with their presumed existing account and link it or create a new account if they prefer.

test/controllers/auth/omniauth_callbacks_controller_test.rb (1)

612-653: LGTM!

The test case can create new user with same email and username as existing user is well-structured and covers the expected behavior:

1. It sets up the necessary prerequisites (institution, user, providers).
2. It simulates the user logging in with a different provider, which should not create a new user.
3. It verifies that the user is presented with an option to create a new account.
4. It confirms creating a new user, which should create a new user with the same email and username but a different ID.

The code changes are approved.

app/models/user.rb (1)

Line range hint 1-1: Carefully consider the consequences of allowing duplicate email addresses within an institution.

Removing the validation rule that ensures the uniqueness of email within the context of an institution can result in the following problems:

• Multiple users within the same institution can have the same email, leading to issues with user identification, authentication, and communication.
• It violates the common expectation that email addresses serve as unique identifiers for users within an institution.

Before proceeding with this change, thoroughly assess its impact on the application's functionality and user experience. Consider the following:

• How will the application handle multiple users with the same email address within an institution?
• Will it affect the login process, password reset functionality, or any other authentication-related features?
• How will it impact email communication with users?

If allowing duplicate email addresses within an institution is a deliberate design decision, ensure that the application is updated to handle such cases gracefully and that users are informed about the potential implications.

To identify any existing duplicate email addresses within the same institution, run the following query:

If duplicates are found, determine how to handle them before deploying the changes to production.

db/schema.rb (3)

13-13: LGTM!

The ActiveRecord schema version has been updated to reflect the latest migration. The version number follows the expected format.

Tools

rubocop

[convention] 13-13: Use underscores(_) as thousands separator and separate every 3 digits with them.

(Style/NumericLiterals)

---

Line range hint 1-1000: Verify the impact of removing the unique index on user identification and mentions.

The unique index index_users_on_username_and_institution_id on the combination of username and institution_id columns in the users table has been removed. This change allows users to have the same username within an institution.

Please ensure that the removal of this unique constraint does not introduce any issues with user identification and mentions within the application. Consider the following:

1. Review any user-mentioning functionality (e.g., in comments, notifications, etc.) to ensure it handles non-unique usernames within an institution correctly.
2. Verify that user profiles and public pages display the correct user information when there are multiple users with the same username within an institution.
3. Ensure that any user search or autocomplete features are updated to handle non-unique usernames within an institution.
4. Test the application thoroughly to identify any areas where user identification or mentions may be ambiguous or incorrect due to non-unique usernames.

To verify the impact of removing the unique index, you can run the following script:

Review the search results and ensure that the codebase handles non-unique usernames within an institution correctly. If any issues are identified, please address them before merging this PR.

Tools

rubocop

[convention] 529-529: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 530-530: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 531-531: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 532-532: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 532-532: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 533-533: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 533-533: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 534-534: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 534-534: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

Line range hint 1-1000: Verify the impact of removing the unique index on user authentication and account management.

The unique index index_users_on_email_and_institution_id on the combination of email and institution_id columns in the users table has been removed. This change allows users to have the same email address within an institution.

Please ensure that the removal of this unique constraint does not introduce any issues with user authentication and account management. Consider the following:

1. Verify that the user registration process handles duplicate email addresses within the same institution correctly.
2. Ensure that the user authentication process (login, password reset, etc.) is updated to handle non-unique email addresses within an institution.
3. Review any email-based notifications or communications to ensure they are sent to the correct user(s) within an institution.
4. Test the user account management features (profile updates, account deletion, etc.) to ensure they function correctly with non-unique email addresses.

To verify the impact of removing the unique index, you can run the following script:

Review the search results and ensure that the codebase handles non-unique email addresses within an institution correctly. If any issues are identified, please address them before merging this PR.

Tools

rubocop

[convention] 529-529: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 530-530: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 531-531: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 532-532: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 532-532: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 533-533: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 533-533: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 534-534: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)

---

[convention] 534-534: Prefer single-quoted strings when you don't need string interpolation or special symbols.

(Style/StringLiterals)