I’m storing user data (username, email, password hash) in PostgreSQL, and I can only enforce uniqueness on
username. I’d like to let users provide either their username or their email when they login. However, when matching their input against usernames and email addresses I want to ensure that a username match gets priority over an email match.
For example, in the following contrived instance:
id | username | email address | pw_hash ------------------------------------------------- 1 john_doe firstname.lastname@example.org x1j34 2 email@example.com firstname.lastname@example.org x1j34
if both users enter their username, I want to guarantee that user 2 gets logged in.
If I use:
SELECT * FROM member WHERE (email@example.com' OR firstname.lastname@example.org') AND pw_hash='x1j34';
this matches both users but provide no guarantee on order.
Is there a way to have to conditions, and only check the second condition if the first isn’t satisfied? Can this be done in a single query?
You have two conditions to check during the authentication:
There is a user with matching username; do not need to match by email.
There are no users with matching usernames; need to match by email.
So the query is:
WITH matching_username AS (SELECT * FROM member WHERE username = 'email@example.com') SELECT * FROM matching_username WHERE (SELECT COUNT(*) FROM matching_username) = 1 AND pw_hash = 'x1j34' UNION SELECT * FROM member WHERE (SELECT COUNT(*) FROM matching_username) = 0 AND email = 'firstname.lastname@example.org' AND pw_hash='x1j34';
On the other hand, there is a problem with your design of the table.
What if two users have have the same email, but neither of them have email as their username? If one of them tries to authenticate with an email, you will not be able to tell, which user record to authenticate against.