auth: Include user_id in the params returned at the end of mobile flow.

The user id is a very useful piece of information that the mobile client should have access to - instead of only getting the email. This makes it much simpler to impleent clients that might be robust to changes in email address.
2025-11-04 05:53:43 +00:00 · 2021-11-16 16:04:04 +01:00
parent 9e979e9e66
commit 0abbb87155
4 changed files with 15 additions and 3 deletions
--- a/templates/zerver/api/changelog.md
+++ b/templates/zerver/api/changelog.md
@@ -20,6 +20,12 @@ format used by the Zulip server that they are interacting with.

 ## Changes in Zulip 5.0

+**Feature level 108**
+
+* In the mobile application authentication flow, the authenticated
+  user's `user_id` is now included in the parameters encoded in the
+  final `zulip://` redirect URL.
+
 **Feature level 107**
 * [`POST /register`](/api/register-queue), [`PATCH /settings`](/api/update-settings),
  [`PATCH /realm/user_settings_defaults`](/api/update-realm-user-settings-defaults):
--- a/version.py
+++ b/version.py
@@ -33,7 +33,7 @@ DESKTOP_WARNING_VERSION = "5.4.3"
 # Changes should be accompanied by documentation explaining what the
 # new level means in templates/zerver/api/changelog.md, as well as
 # "**Changes**" entries in the endpoint's documentation in `zulip.yaml`.
-API_FEATURE_LEVEL = 107
+API_FEATURE_LEVEL = 108

 # Bump the minor PROVISION_VERSION to indicate that folks should provision
 # only when going from an old version of the code to a newer version. Bump
--- a/zerver/tests/test_auth_backends.py
+++ b/zerver/tests/test_auth_backends.py
@@ -1200,7 +1200,10 @@ class SocialAuthBase(DesktopFlowTestingLib, ZulipTestCase):

    def test_social_auth_mobile_success(self) -> None:
        mobile_flow_otp = "1234abcd" * 8
-        account_data_dict = self.get_account_data_dict(email=self.email, name="Full Name")
+        hamlet = self.example_user("hamlet")
+        account_data_dict = self.get_account_data_dict(
+            email=hamlet.delivery_email, name="Full Name"
+        )
        self.assert_length(mail.outbox, 0)
        self.user_profile.date_joined = timezone_now() - datetime.timedelta(
            seconds=JUST_CREATED_THRESHOLD + 1
@@ -1231,7 +1234,9 @@ class SocialAuthBase(DesktopFlowTestingLib, ZulipTestCase):
        query_params = urllib.parse.parse_qs(parsed_url.query)
        self.assertEqual(parsed_url.scheme, "zulip")
        self.assertEqual(query_params["realm"], ["http://zulip.testserver"])
-        self.assertEqual(query_params["email"], [self.example_email("hamlet")])
+        self.assertEqual(query_params["email"], [hamlet.delivery_email])
+        self.assertEqual(query_params["user_id"], [str(hamlet.id)])
+
        encrypted_api_key = query_params["otp_encrypted_api_key"][0]
        hamlet_api_keys = get_all_api_keys(self.example_user("hamlet"))
        self.assertIn(otp_decrypt_api_key(encrypted_api_key, mobile_flow_otp), hamlet_api_keys)
--- a/zerver/views/auth.py
+++ b/zerver/views/auth.py
@@ -382,6 +382,7 @@ def create_response_for_otp_flow(
    params = {
        encrypted_key_field_name: otp_encrypt_api_key(key, otp),
        "email": user_profile.delivery_email,
+        "user_id": user_profile.id,
        "realm": realm_uri,
    }
    # We can't use HttpResponseRedirect, since it only allows HTTP(S) URLs