Interaction between normal forum user account and Blockstack login

#1

When I signed up for the forum I didn’t use my blockstack id. I’d like to add it now, but it wants me to create a new user. I can’t find a way to connect them.

Can I add my Blocstack ID login to this normal user account on the forum? If so, how?

#2

There was no easy way to do this as of when I created the discourse blockstack plugin there discourse didn’t have support for multiple authentication methods per user or changing authentication methods for a user.

I’m not sure if that’s changed.

Want to open a feature request issue? https://github.com/blockstack/discourse-blockstack/issues

I’d love pull requests that add this functionality if it’s possible now!

1 Like
#3

Not sure, but I added an issue now so we have a place to check. :slight_smile:

1 Like
#4

So I’ve had a look.

It’s actually tricky since we don’t have a way to know whether the user owns the email address they claim in the profile. That’s how all the other services are figuring out what ID to connect to. The Discourse site is just trusting that Google/Facebook/LinkedIn etc has verified the email on their site, so it’s trusting what it’s saying for logging in.

Did we ever get further with a way of proving email ownership?

On the other hand, it might not be so tricky, since Discourse has a way to set email_verified: false but I don’t know if it will manage to verify it again and THEN allow the plugin to log in. It all seems a bit advanced IMHO.


But when reading some other plugins for login, and then reading the blockstack login plugin. I see it already has a configurable functionality for doing this. It looks wildly insecure however; since it just takes the first item before ‘.’ and if that matches it will OK it.

But it looks like this gaping security hole (which probably wasn’t a security hole before we had more namespaces and especially before sponsored names / subdomains) isn’t enabled on this site :frowning:

Since my username is odinho here, that config item would actually make my odinho.id log me in. However, for obvious reasons you shouldn’t turn it on in current state, since also odinho.iamcoolhacker.id would log into my account.

I could potentially make this only work for id === username (as it already does) but also check username without tld only for .id.


So after reading this code, it seems like if you make your username the same as your blockstack ID, you’re fine, you can log in to it. Is that correct? It seems like most people do not have that, like you, ryan and vsund.

Is Blockstack login actually working for anyone anymore? It’s working for you guys since you did it before the setting was switched?

I see it would be possible to add blockstack_user_15zrm3fC5enJLJENo7qknorSD1gHoTEBx8: "odinho" to the plugin storage manually of course. :stuck_out_tongue:

1 Like
#5

Shit, sorry for the verboseness.

I actually thought about a much simpler way. Write Verifying my Blockstack ID is secured with the address 15zrm3fC5enJLJENo7qknorSD1gHoTEBx8 in my profile here. Link that to profile (well, not REALLY needed, but nice for others to see what my forum user is) and have the login plugin check that.

2 Likes
#6

This functionality isn’t enabled in this particular instance. It’s configurable in the instance settings.

You’re correct that this functionality was written before we had even thought of the subdomain/sponsored name concept when it was only possible to have one “.” in a name.

If I recall correctly, the plugin matches users based on their decentralized ID.

2 Likes
#7

You recall correctly. More detailed like this:

blockstack_user_15zrm3fC5enJLJENo7qknorSD1gHoTEBx8: "odinho" in plugin storage

I might try my hand at implementing something for the plugin. Though not that likely to be honest :stuck_out_tongue:

1 Like