UsernamePasswordAuthUser's id shouldn't be the hashed password about play-authenticate HOT 6 CLOSED

By default the hashed password gets saved as the user ID in the sample for the password provider - that's why this gets returned. The sample application does not necessarily need the emails to be unique, as you can sign up via OAuth, etc. and the email gets set, but not verified in the beginning. A user could possibly have multiple accounts with the same email in the sample. Automatically merging the accounts based on email is a bad idea in case one of your providers gets compromised. Facebook for example does not guarantee the email really belongs to the user. if you want the email to be the ID, you would need to change the sample and store the password elsewhere - you'd be breaking the paradigm play! authenticate works with additionally.

from play-authenticate.

Well, yes, email as ID is probably a bad idea.

But I can't see how the user is fetched from the database when the session doesn't contain any identifier to User. The session seems to only be used to check if it contains some keys.
For example, in PlayAuthenticate the USER_KEY's value is set to some random number.

    public static void storeUser(final Session session, final AuthUser authUser) {

        // User logged in once more - wanna make some updates?
        final AuthUser u = getUserService().update(authUser);

        session.put(PlayAuthenticate.USER_KEY, u.getId());
        session.put(PlayAuthenticate.PROVIDER_KEY, u.getProvider());
        if (u.expires() != AuthUser.NO_EXPIRATION) {
            session.put(EXPIRES_KEY, Long.toString(u.expires()));
        } else {
            session.remove(EXPIRES_KEY);
        }
    }

How will the user that is logged in with email and password be fetched and validated from the DB when the USER_KEY is set some random string?

from play-authenticate.

Have you looked at the UserService? I will look into the exception.

from play-authenticate.

The exception is valid: "RuntimeException: Account not enabled for password usage" - did you try resetting a password for an OAuth-generated account? Its not enabled on heroku, you can enable it in your installation however if you want to and allow adding a password to an OAuth-based account.

from play-authenticate.

The UsernamePasswordAuthUser class has a getEmail method defined, see here: https://github.com/joscha/play-authenticate/blob/master/code/app/com/feth/play/module/pa/providers/password/UsernamePasswordAuthUser.java and here: https://github.com/joscha/play-authenticate/blob/master/samples/java/play-authenticate-usage/app/models/User.java#L120

from play-authenticate.

What do you mean? The email is given at login in the form, when using the UsernamePassword provider?!

from play-authenticate.