Authentication with Email Address Only

During registration, by default, Xaraya asks for a login name (username), display name (name), email, and password. The distinction between these may be clear to some of us, but "normal" people don't need (and are confused by) so many parameters.

There are 3 parts to user management (at least): registration (to sign up), validation (to verify/activate account), and authentication (to login). I'll discuss these out of order.

Authentication: Email Login Using Authemail Module

The authemail module lets you simplify things for your users, allowing them to log in with their email address rather than their username. It's just one less thing to have to remember.

Just install the module. Then under Admin > Base > Config > Sessions/Security, choose the Authemail module from the list of Authentication Modules, and move it to the top of the list. That's it.

Well, I think authemail assumes each account has a unique email address. So be sure you've checked the "Email Address Must Be Unique To Each Registered User" checkbox in Admin > Registration > Config > Registration.

Now at the login prompt, you can enter either your normal login name, or your email address.

You might also want to change the login templates to prompt for Email Address rather than Username, such as mytheme/modules/authsystem/blocks/login.xt and authsystem/user-choices.xt Note, a bit out of character (I think) for Xaraya's Blocklayout, you also will need a template authsystem/user-showloginform.xt which contains the following line:

<xar:template type="system" file="user-choices.xt"/> 	

Registration: Eliminating Username During Registration

I've taken this one step further on several sites, and don't even bother asking for a username during registration. Just "Full name" (display name), "Email" and "Password".

The problem here is that Xaraya requires a username, even if its not used during login (as the case with the authemail module).

During registration, the username field can be made a hidden field, and populated (say, via javascript) with the contents of the display name or email fields, for example. Or, it could have a random value stuffed in there, such as using function date() or rand().

The problem with random numbers is they aren't very informative, like from the Roles admin GUI screens. A problem with using display name is that username cannot contain space characters, so you'll need to strip them or str_replace them with underscores (for example).

Another problem with copying display name or email is the user can change these in their Account Profile. I wouldn't necessarily bother to keep these in sync (when one is updated, update the other) but you could. Then again it might be confusing to have one email address in email field, and a different (old one) in uname.

Which brings up another point. You might want to update your Display/Edit Profile templates to hide the username:

roles/user-display.xt
roles/user-user_menu_form.xt

Validation: Enabling Validation

It is recommended that you always require your users to validate their registration. This means after they register, they'll receive an email with a validation code. They can click on a link to activate the account, or go to a page and type in the code. Either way, validation would be required before they're allowed to log in. Validation ensures that someone else isn't registering for you with your email address without your knowledge.

Enable validation in the Registration module; use Admin > Users & Groups > Registration > Config > Registration, and check the "Require Validation Of New Users" checkbox.

Xaraya's validation mechanism assumes the user has a username. If you hid the username field during registration, users may have no clue what their username is. A few adjustments are needed to accommodate our changes.

$getvalidation=TRUE; 

(If this line is not present in your version of the file, I've pasted a copy of the whole thing below).

B. Edit the Roles user-startvalidation.xd template (eg save into mytheme/modules/roles/user-startvalidation.xt) replacing the uname input fields with a hidden one, such as

<input type="hidden" name="uname" id="uname" value="#xarVarPrepForDisplay($uname)#" />  

and delete the corresponding labels.

C. Edit the email confirmation message and remove references to username. See file var/messaging/roles/confirmation-message.xd

Changes to Authemail Code

File: modules/authemail/xaruserapi/authenticate_user.php

function authemail_userapi_authenticate_user($args)
{
	extract($args);
	assert('!empty($uname) && isset($pass)');
	$dbconn =& xarDBGetConn();
	$xartable = xarDBGetTables();

	// Get user information
	$rolestable = $xartable['roles'];
	$query = "SELECT xar_uid,
		xar_pass,
		xar_state,
		xar_uname
		FROM $rolestable
		WHERE xar_email = ?";
	$bindvars = array($uname);
	$result =& $dbconn->Execute($query,$bindvars);
	if (!$result) return;
	if ($result->EOF) {
		$result->Close();
		return XARUSER_AUTH_FAILED;
	}
	list($uid, $realpass, $state, $username) = $result->fields;
	$result->Close();

	// To support user validation + authemail, set $getvalidation to TRUE.
	// This will redirect logins to getvalidation if user has not been validated
	//
	//$getvalidation=FALSE;
	$getvalidation=TRUE;
	if ($getvalidation && $state == ROLES_STATE_NOTVALIDATED) {
		xarResponseRedirect(xarModURL('roles', 'user', 'getvalidation', array('uname'=>$username)));
	}

	// Confirm that passwords match
	if (!xarUserComparePasswords($pass, $realpass, $uname, substr($realpass, 0, 2))) {
		return XARUSER_AUTH_FAILED;
	}
	return $uid;
}