-
Notifications
You must be signed in to change notification settings - Fork 64
User Accounts and Authentication
##Authentication in Yotta Yotta requires users to be authenticated in two circumstances:
- When using
yotta publishto publish a new version of a module to the yotta registry, yotta needs to ensure you have permission to publish the current module - When pulling module dependencies that have been specified as github URLs, yotta asks you to authenticate with GitHub to get you a GitHub API access token that can be used to download modules (including modules in private repositories that you have access to).
In both cases yotta uses a third party OAuth2 provider to verify your identity, if you are attempting to publish then this can be any supported provider, but if you need to access modules from GitHub then you must log in with GitHub.
Yotta uses email addresses as users' identities – so we only recognise email addresses that trusted providers have verified by sending email.
If the user has any verified emails on their account that match any email addresses allowed to publish the package then permission is granted.
Any valid github login that gives yotta permission, the yotta registry then forwards the access token to the requesting client.
##Example Scenarios We need to support (or provide error messages for) the following scenarios without unexpected behaviour:
Any verified email on the github account must match any one of the emails from the mbed account. If it doesn't then this is the next case. Any other verified email addresses from the github account are added to the existing account.
An error is reported to the user in the browser, telling the user their existing email addresses, and explaining that the github account needs to share a verified email with their logged in account. (or they could logout).
Each time you log in with an mbed account with the same primary email on a new computer, the new key that you've generated is added to the existing account with that primary email. If you log in on a new computer with an account that shares only secondary emails with a primary or secondary email of another account, then a new account is created.
If the github account has the same primary email as any existing account, then the new key and github token and emails are added to the existing account. Otherwise a new account is created with the new key and new primary email.
Any verified email on the mbed account must match any one of the emails from the mbed account. If it doesn't then this is the next case. Any other verified email addresses from the github account are added to the existing account.
An error is reported to the user in the browser, telling the user their existing email addresses, and explaining that the mbed account needs to share a verified email with their logged in account. (or they could logout).
Each time you log in with a GitHub account with the same primary email on a new computer, the new key that you've generated is added to the existing account with that primary email. If you log in on a new computer with an account that shares only secondary emails with a primary or secondary email of another account, then a new account is created.
If the mbed account has the same primary email as any existing account, then the new key and emails are added to the existing account. Otherwise a new account is created with the new key and new primary email.
Two users log in with mbed with different emails A and B, then both log into Github with emails A and B
Both users get emails A and B added to their existing different accounts, and get a github access token.
When logging in on a new computer (new key), the primary email address needs to match an existing primary address for the accounts to be merged.
When logging in with an additional provider on the same computer (existing key), then any matching email address between the two accounts is sufficient for the tokens and verified emails provided by the new provider to be added to the existing account associated with the key being used.