Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pretix as OpenIDConnect client OIDC] Customer Account Anonymization does not delete their unique identifiers #3921

Open
Wikinaut opened this issue Feb 16, 2024 · 8 comments
Open

[pretix as OpenIDConnect client OIDC] Customer Account Anonymization does not delete their unique identifiers #3921

Wikinaut opened this issue Feb 16, 2024 · 8 comments

Comments

@Wikinaut
Copy link
Contributor

Wikinaut commented Feb 16, 2024
edited

[UPDATE]
A workaround (manual renaming of the inactive pretix-internal identifier to identifier.OLD) is described below #3921 (comment) YMMV.

Problem and impact

tl;dr
Bug: Customer Account Anonymization does not delete their unique identifier.

Long version:

  • I succesfully added Customer Account via OIDC SSO (ok).
  • I found, that the "name" field was not filled correctly, because I missed to setup the name field in the SSO admin panel.
  • A second SSO-login did not re-fill the name field from the SSO provider (this can be understood, but perhaps should be filed as separate issue.)

Problem:

As Admin, I wanted to delete my Customer Account, but there is not function to delete, only a function to "anonymize" an account, what I did.

Expected behaviour

The expected behaviour is:

That anonymization also(!) anonymizes the unique indentifier (here from SSO "sub") in order to allow a fully new user account creation.

But this was apparently not the case!

A new SSO Login - I expected a NEW customer account to be created - failed surprisingly with the message:

Login was not successfull: identifier not unique

tl;dr
Bug: Customer Account Anonymization does not delete their unique identifier.

Steps to reproduce

See above

Screenshots

20240216-130241 Auswahl

Link

No response

Browser (software, desktop or mobile?) and version

No response

Operating system, dependency versions

No response

Version

2024.1.0
@raphaelm
Copy link
Member

Hmm, yes, this is not good the way it is. Changing the identifier, however, is also not good. Will need to think about this - currently I'm not sure why we went with hashed uids in the first place, there was some reason but I can't remember it currently.

@Wikinaut
Copy link
Contributor Author

From privacy aspects (not my current problem of being unable to log-in as myself, what is the case at the moment - I have to try to change my "old", still blocking "sub" in the database), an anonymising operation should clean up also the sub or other external reference in the pretix databases. This is my view.

It' s not visible any longer, but present (somewhere under the hood).

@Wikinaut
Copy link
Contributor Author

Wikinaut commented Feb 16, 2024
edited

The former (1) customer account reference (2) looks to be gone, but is not. It is blocking to open a new account.
grafik

@Wikinaut
Copy link
Contributor Author

Wikinaut commented Feb 16, 2024
edited

Hmm, yes, this is not good the way it is. Changing the identifier, however, is also not good. Will need to think about this - currently I'm not sure why we went with hashed uids in the first place, there was some reason but I can't remember it currently.

In my view, when email address and name are deleted as appears to be the case at the moment, I am interested to learn, why the unique reference (sub aka Referenz) is not - this sub is the key to scrutizine, the magic unique item.....

In my view, it is the most "evil" item of all the sso data - which need to be deleted in any case when "anonymisung". Pretix still has its own Kundennummer, that's fine enough to "bind" the bookings to that person.

As mentioned: I am interested to learn and to understand, why the identifier is still present and, my problem, blocking.

If and only if the blocking is the important part, for example to avoid impersonication, that would be probably valid reason. I would like to learn, why exactly (case study).

@raphaelm
Copy link
Member

The sub is deleted, it is not kept under the hood, but the pretix-side customer ID in this case isn't random, but includes a hash of the sub. This was necessary for some reason but I currently don't remember what it was.

@Wikinaut
Copy link
Contributor Author

The sub is deleted, it is not kept under the hood, but the pretix-side customer ID in this case isn't random, but includes a hash of the sub. This was necessary for some reason but I currently don't remember what it was.

Ok.

But in that way it still prevents me from creating a new account via my credentials from that provider.

As I am a MySQL/MariaDB person: could you be so kind to post here the Postgresql code to delete that specific entry manually?

@Wikinaut
Copy link
Contributor Author

#WORKSFORME:

Workaround:

I renamed that ìdentifier in the database to identifier.OLD.

Now I can come back to pretix with my former SSO-user and got indeed the same ``ìdentifier```(from SSO-Accountcreation) and the old identifier is not blocking anymore:

grafik

@Wikinaut
Copy link
Contributor Author

Wikinaut commented Feb 16, 2024
edited

Dear @raphaelm , if you prefer to close my issue report: it will be fine for me.
On the other hand, I think, it describes an interesting observation which perhaps should be fixed.

One solution as proposed: during anonymization: add .OLDto the ``ìdentifier```.

sudo -u pretix pgsl -d pretix;
update public.pretixbase_customer set identifier = '5E76167.OLD' where identifier = '5E7616';

results (after that user came back to pretix) in:
grafik

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raphaelm @Wikinaut