Generic “userN” usernames

Was there a recent change that is leading to the influx of generic users named “userN” (where N is some number) on our Discourse instance and if so it possible to disable this? I haven’t been able to find anything in the settings.

1 Like

Those accounts might’ve been anonymized at some point in time.

They’re all new users asking their first question, I don’t think they’ve been anonymized by an admin.

Edit: or just new users, not necessarily with a post.

What method are these new users using to sign-up?

I’m not sure, is there somewhere I can check that?

It seems all these users have empty username details in the DiscourseConnect SSO section at the bottom of the User Admin page, if that means anything.

1 Like

Do you have groups with the same names?

This sounds similar to

1 Like

There is no group called “user”.

Can you check your discourse connect sign-up and see if the username field can be skipped when registering?

I’ll have to check with the internal systems team that manages our global user accounts and I assume the integration with Discourse Connect SSO. I suspect the issue is somewhere in here… just not sure why the sudden behavior change. I don’t think our global accounts have usernames, just emails, but this issue seems to have just popped up.

Anyway it’ll be a few hours before anybody is actually online. I’m up waaaay early.

1 Like

We recently stopped using email addresses when generating usernames during SSO.

The recommended solution is to supply a username in the SSO payload. You can go back to the previous behaviour by changing a hidden site setting, but we might remove it in the future.

./launcher enter app
rails c
SiteSetting.use_email_for_username_and_name_suggestions = true

So if our user accounts don’t have usernames and we just supply the email address in the username field of the SSO payload it will behave as it did previously?

1 Like

Yes, that should work. But it’s better to avoid generating usernames from emails because in this case, it’s easy to figure out emails of your users. This is insecure.

Note, that you can also send a full name in the name field to SSO. If you do so:

  • name will become the full name of a user on your Discourse
  • name will be used by SSO for generating username

Thanks everybody, I think we’ve got all the info we need to work around this in the short term and fix in the long term.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.