PLT-2905 fixing upgrade of SSO accounts (#2962)

* PLT-2905 fixing upgrade of SSO accounts * Fixing multiple Auths mapped to different emails
2025-02-25 18:55:24 -06:00 · 2016-05-11 11:04:30 -07:00
parent a574397a72
commit 3928535456
12 changed files with 122 additions and 56 deletions
--- a/api/admin_test.go
+++ b/api/admin_test.go
@@ -457,7 +457,8 @@ func TestAdminResetPassword(t *testing.T) {
 		t.Fatal("Should have errored - password too short")
 	}

-	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
+	authData := model.NewId()
+	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: &authData, AuthService: "random"}
 	user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
 	LinkUserToTeam(user2, team)
 	store.Must(Srv.Store.User().VerifyEmail(user2.Id))
--- a/api/authentication.go
+++ b/api/authentication.go
@@ -39,17 +39,17 @@ func checkUserPassword(user *model.User, password string) *model.AppError {
 	}
 }

-func checkLdapUserPasswordAndAllCriteria(ldapId, password, mfaToken string) (*model.User, *model.AppError) {
+func checkLdapUserPasswordAndAllCriteria(ldapId *string, password string, mfaToken string) (*model.User, *model.AppError) {
 	ldapInterface := einterfaces.GetLdapInterface()

-	if ldapInterface == nil {
+	if ldapInterface == nil || ldapId == nil {
 		err := model.NewLocAppError("doLdapAuthentication", "api.user.login_ldap.not_available.app_error", nil, "")
 		err.StatusCode = http.StatusNotImplemented
 		return nil, err
 	}

 	var user *model.User
-	if ldapUser, err := ldapInterface.DoLogin(ldapId, password); err != nil {
+	if ldapUser, err := ldapInterface.DoLogin(*ldapId, password); err != nil {
 		err.StatusCode = http.StatusUnauthorized
 		return nil, err
 	} else {
--- a/api/oauth.go
+++ b/api/oauth.go
@@ -600,8 +600,11 @@ func CompleteSwitchWithOAuth(c *Context, w http.ResponseWriter, r *http.Request,
 		return
 	} else {
 		ssoUser := provider.GetUserFromJson(userData)
-		authData = ssoUser.AuthData
 		ssoEmail = ssoUser.Email
+
+		if ssoUser.AuthData != nil {
+			authData = *ssoUser.AuthData
+		}
 	}

 	if len(authData) == 0 {
@@ -628,7 +631,7 @@ func CompleteSwitchWithOAuth(c *Context, w http.ResponseWriter, r *http.Request,
 		return
 	}

-	if result := <-Srv.Store.User().UpdateAuthData(user.Id, service, authData, ssoEmail); result.Err != nil {
+	if result := <-Srv.Store.User().UpdateAuthData(user.Id, service, &authData, ssoEmail); result.Err != nil {
 		c.Err = result.Err
 		return
 	}
--- a/api/user.go
+++ b/api/user.go
@@ -535,7 +535,7 @@ func LoginByOAuth(c *Context, w http.ResponseWriter, r *http.Request, service st
 	}

 	var user *model.User
-	if result := <-Srv.Store.User().GetByAuth(authData, service); result.Err != nil {
+	if result := <-Srv.Store.User().GetByAuth(&authData, service); result.Err != nil {
 		if result.Err.Id == store.MISSING_AUTH_ACCOUNT_ERROR {
 			return CreateOAuthUser(c, w, r, service, bytes.NewReader(buf.Bytes()), "")
 		}
@@ -1289,7 +1289,8 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) {
 		}

 		rusers[0].Password = ""
-		rusers[0].AuthData = ""
+		rusers[0].AuthData = new(string)
+		*rusers[0].AuthData = ""
 		w.Write([]byte(rusers[0].ToJson()))
 	}
 }
@@ -1337,7 +1338,7 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {

 	user := result.Data.(*model.User)

-	if user.AuthData != "" {
+	if user.AuthData != nil && *user.AuthData != "" {
 		c.LogAudit("failed - tried to update user password who was logged in through oauth")
 		c.Err = model.NewLocAppError("updatePassword", "api.user.update_password.oauth.app_error", nil, "auth_service="+user.AuthService)
 		c.Err.StatusCode = http.StatusBadRequest
@@ -1653,7 +1654,7 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) {
 		user = result.Data.(*model.User)
 	}

-	if len(user.AuthData) != 0 {
+	if user.AuthData != nil && len(*user.AuthData) != 0 {
 		c.Err = model.NewLocAppError("sendPasswordReset", "api.user.send_password_reset.sso.app_error", nil, "userId="+user.Id)
 		return
 	}
@@ -1749,7 +1750,7 @@ func ResetPassword(c *Context, userId, newPassword string) *model.AppError {
 		user = result.Data.(*model.User)
 	}

-	if len(user.AuthData) != 0 && !c.IsSystemAdmin() {
+	if user.AuthData != nil && len(*user.AuthData) != 0 && !c.IsSystemAdmin() {
 		return model.NewLocAppError("ResetPassword", "api.user.reset_password.sso.app_error", nil, "userId="+user.Id)

 	}
@@ -2148,13 +2149,13 @@ func ldapToEmail(c *Context, w http.ResponseWriter, r *http.Request) {
 	}

 	ldapInterface := einterfaces.GetLdapInterface()
-	if ldapInterface == nil {
+	if ldapInterface == nil || user.AuthData == nil {
 		c.Err = model.NewLocAppError("ldapToEmail", "api.user.ldap_to_email.not_available.app_error", nil, "")
 		c.Err.StatusCode = http.StatusNotImplemented
 		return
 	}

-	if err := ldapInterface.CheckPassword(user.AuthData, ldapPassword); err != nil {
+	if err := ldapInterface.CheckPassword(*user.AuthData, ldapPassword); err != nil {
 		c.LogAuditWithUserId(user.Id, "fail - ldap authentication failed")
 		c.Err = err
 		return
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -1109,7 +1109,8 @@ func TestSendPasswordReset(t *testing.T) {
 		t.Fatal("Should have errored - bad email")
 	}

-	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
+	authData := model.NewId()
+	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: &authData, AuthService: "random"}
 	user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
 	LinkUserToTeam(user2, team)
 	store.Must(Srv.Store.User().VerifyEmail(user2.Id))
@@ -1178,7 +1179,8 @@ func TestResetPassword(t *testing.T) {
 		recovery = result.Data.(*model.PasswordRecovery)
 	}

-	if result := <-Srv.Store.User().UpdateAuthData(user.Id, "random", "1", ""); result.Err != nil {
+	authData := model.NewId()
+	if result := <-Srv.Store.User().UpdateAuthData(user.Id, "random", &authData, ""); result.Err != nil {
 		t.Fatal(result.Err)
 	}

--- a/i18n/en.json
+++ b/i18n/en.json
@@ -1337,7 +1337,7 @@
  },
  {
    "id": "api.templates.upgrade_30_body.info",
-    "translation": "<h3 style='font-weight: normal; margin-top: 10px;'>YOUR DUPLICATE ACCOUNTS HAVE BEEN UPDATED</h3>Your Mattermost server is being upgraded to Version 3.0, which lets you use a single account across multiple teams.<br/><br/>You are receiving this email because the upgrade process has detected your account had the same email or username as other accounts on the server.<br/><br/>The following updates have been made: <br/><br/>{{if .EmailChanged }}- The duplicate email of an account on the `/{{.TeamName}}` team was changed to `{{.Email}}`. If you use email and password to login, you can use this new email address for login.<br/><br/>{{end}}{{if .UsernameChanged }}- The duplicate username of an account on the team site `/{{.TeamName}}` has been changed to `{{.Username}}` to avoid confusion with other accounts.<br/><br/>{{end}} RECOMMENDED ACTION: <br/><br/>It is recommended that you login to your teams used by your duplicate accounts and add your primary account to the team and any public channels and private groups which you wish to continue using. <br/><br/>This gives your primary account access to all public channel and private group history. You can continue to access the direct message history of your duplicate accounts by logging in with their credentials. <br/><br/>FOR MORE INFORMATION: <br/><br/>For more information on the upgrade to Mattermost 3.0 please see: <a href='http://www.mattermost.org/upgrading-to-mattermost-3-0/'>http://www.mattermost.org/upgrading-to-mattermost-3-0/</a><br/><br/>"
+    "translation": "<h3 style='font-weight: normal; margin-top: 10px;'>YOUR DUPLICATE ACCOUNTS HAVE BEEN UPDATED</h3>Your Mattermost server is being upgraded to Version 3.0, which lets you use a single account across multiple teams.<br/><br/>You are receiving this email because the upgrade process has detected your account had the same email or username as other accounts on the server.<br/><br/>The following updates have been made: <br/><br/>{{if .EmailChanged }}- The duplicate email of an account on the `/{{.TeamName}}` team was changed to `{{.Email}}`. You will need to use email and password to login, you can use this new email address for login.<br/><br/>{{end}}{{if .UsernameChanged }}- The duplicate username of an account on the team site `/{{.TeamName}}` has been changed to `{{.Username}}` to avoid confusion with other accounts.<br/><br/>{{end}} RECOMMENDED ACTION: <br/><br/>It is recommended that you login to your teams used by your duplicate accounts and add your primary account to the team and any public channels and private groups which you wish to continue using. <br/><br/>This gives your primary account access to all public channel and private group history. You can continue to access the direct message history of your duplicate accounts by logging in with their credentials. <br/><br/>FOR MORE INFORMATION: <br/><br/>For more information on the upgrade to Mattermost 3.0 please see: <a href='http://www.mattermost.org/upgrading-to-mattermost-3-0/'>http://www.mattermost.org/upgrading-to-mattermost-3-0/</a><br/><br/>"
  },
  {
    "id": "api.templates.upgrade_30_subject.info",
--- a/mattermost.go
+++ b/mattermost.go
@@ -373,14 +373,15 @@ func cmdUpdateDb30() {

 		uniqueEmails := make(map[string]bool)
 		uniqueUsernames := make(map[string]bool)
-		primaryUsers := convertTeamTo30(team.Name, team, uniqueEmails, uniqueUsernames)
+		uniqueAuths := make(map[string]bool)
+		primaryUsers := convertTeamTo30(team.Name, team, uniqueEmails, uniqueUsernames, uniqueAuths)

 		l4g.Info("Upgraded %v users", len(primaryUsers))

 		for _, otherTeam := range teams {
 			if otherTeam.Id != team.Id {
 				l4g.Info("Upgrading team %v", otherTeam.Name)
-				users := convertTeamTo30(team.Name, otherTeam, uniqueEmails, uniqueUsernames)
+				users := convertTeamTo30(team.Name, otherTeam, uniqueEmails, uniqueUsernames, uniqueAuths)
 				l4g.Info("Upgraded %v users", len(users))

 			}
@@ -400,6 +401,18 @@ func cmdUpdateDb30() {
 			flushLogAndExit(1)
 		}

+		if _, err := store.GetMaster().Exec(`
+				UPDATE Users 
+				SET 
+				    AuthData = NULL
+				WHERE
+				    AuthData = ''
+				`,
+		); err != nil {
+			l4g.Error("Failed to update AuthData types details=%v", err)
+			flushLogAndExit(1)
+		}
+
 		extraLength := store.GetMaxLengthOfColumnIfExists("Audits", "ExtraInfo")
 		if len(extraLength) > 0 && extraLength != "1024" {
 			store.AlterColumnTypeIfExists("Audits", "ExtraInfo", "VARCHAR(1024)", "VARCHAR(1024)")
@@ -424,6 +437,7 @@ func cmdUpdateDb30() {
 			store.RemoveIndexIfExists("idx_users_team_id", "Users")
 			store.CreateUniqueIndexIfNotExists("idx_users_email_unique", "Users", "Email")
 			store.CreateUniqueIndexIfNotExists("idx_users_username_unique", "Users", "Username")
+			store.CreateUniqueIndexIfNotExists("idx_users_authdata_unique", "Users", "AuthData")
 			store.RemoveColumnIfExists("Teams", "AllowTeamListing")
 			store.RemoveColumnIfExists("Users", "TeamId")
 		}
@@ -448,12 +462,13 @@ type UserForUpgrade struct {
 	Email    string
 	Roles    string
 	TeamId   string
+	AuthData *string
 }

-func convertTeamTo30(primaryTeamName string, team *TeamForUpgrade, uniqueEmails map[string]bool, uniqueUsernames map[string]bool) []*UserForUpgrade {
+func convertTeamTo30(primaryTeamName string, team *TeamForUpgrade, uniqueEmails map[string]bool, uniqueUsernames map[string]bool, uniqueAuths map[string]bool) []*UserForUpgrade {
 	store := api.Srv.Store.(*store.SqlStore)
 	var users []*UserForUpgrade
-	if _, err := store.GetMaster().Select(&users, "SELECT Users.Id, Users.Username, Users.Email, Users.Roles, Users.TeamId FROM Users WHERE Users.TeamId = :TeamId", map[string]interface{}{"TeamId": team.Id}); err != nil {
+	if _, err := store.GetMaster().Select(&users, "SELECT Users.Id, Users.Username, Users.Email, Users.Roles, Users.TeamId, Users.AuthData FROM Users WHERE Users.TeamId = :TeamId", map[string]interface{}{"TeamId": team.Id}); err != nil {
 		l4g.Error("Failed to load profiles for team details=%v", err)
 		flushLogAndExit(1)
 	}
@@ -530,13 +545,19 @@ func convertTeamTo30(primaryTeamName string, team *TeamForUpgrade, uniqueEmails
 			}
 		}

+		if user.AuthData != nil && *user.AuthData != "" && uniqueAuths[*user.AuthData] {
+			shouldUpdateUser = true
+		}
+
 		if shouldUpdateUser {
 			if _, err := store.GetMaster().Exec(`
 				UPDATE Users 
 				SET 
 				    Email = :Email,
 				    Username = :Username,
-				    Roles = :Roles
+				    Roles = :Roles,
+				    AuthService = '',
+				    AuthData = NULL
 				WHERE
 				    Id = :Id
 				`,
@@ -590,6 +611,10 @@ func convertTeamTo30(primaryTeamName string, team *TeamForUpgrade, uniqueEmails

 		uniqueEmails[user.Email] = true
 		uniqueUsernames[user.Username] = true
+
+		if user.AuthData != nil && *user.AuthData != "" {
+			uniqueAuths[*user.AuthData] = true
+		}
 	}

 	return users
--- a/model/gitlab/gitlab.go
+++ b/model/gitlab/gitlab.go
@@ -47,7 +47,7 @@ func userFromGitLabUser(glu *GitLabUser) *model.User {
 	}
 	strings.TrimSpace(user.Email)
 	user.Email = glu.Email
-	user.AuthData = strconv.FormatInt(glu.Id, 10)
+	*user.AuthData = strconv.FormatInt(glu.Id, 10)
 	user.AuthService = model.USER_AUTH_SERVICE_GITLAB

 	return user
--- a/model/user.go
+++ b/model/user.go
@@ -37,7 +37,7 @@ type User struct {
 	DeleteAt           int64     `json:"delete_at"`
 	Username           string    `json:"username"`
 	Password           string    `json:"password,omitempty"`
-	AuthData           string    `json:"auth_data,omitempty"`
+	AuthData           *string   `json:"auth_data,omitempty"`
 	AuthService        string    `json:"auth_service"`
 	Email              string    `json:"email"`
 	EmailVerified      bool      `json:"email_verified,omitempty"`
@@ -99,15 +99,15 @@ func (u *User) IsValid() *AppError {
 		return NewLocAppError("User.IsValid", "model.user.is_valid.pwd.app_error", nil, "user_id="+u.Id)
 	}

-	if len(u.AuthData) > 128 {
+	if u.AuthData != nil && len(*u.AuthData) > 128 {
 		return NewLocAppError("User.IsValid", "model.user.is_valid.auth_data.app_error", nil, "user_id="+u.Id)
 	}

-	if len(u.AuthData) > 0 && len(u.AuthService) == 0 {
+	if u.AuthData != nil && len(*u.AuthData) > 0 && len(u.AuthService) == 0 {
 		return NewLocAppError("User.IsValid", "model.user.is_valid.auth_data_type.app_error", nil, "user_id="+u.Id)
 	}

-	if len(u.Password) > 0 && len(u.AuthData) > 0 {
+	if len(u.Password) > 0 && u.AuthData != nil && len(*u.AuthData) > 0 {
 		return NewLocAppError("User.IsValid", "model.user.is_valid.auth_data_pwd.app_error", nil, "user_id="+u.Id)
 	}

@@ -130,6 +130,10 @@ func (u *User) PreSave() {
 		u.Username = NewId()
 	}

+	if u.AuthData != nil && *u.AuthData == "" {
+		u.AuthData = nil
+	}
+
 	u.Username = strings.ToLower(u.Username)
 	u.Email = strings.ToLower(u.Email)
 	u.Locale = strings.ToLower(u.Locale)
@@ -165,6 +169,10 @@ func (u *User) PreUpdate() {
 	u.Locale = strings.ToLower(u.Locale)
 	u.UpdateAt = GetMillis()

+	if u.AuthData != nil && *u.AuthData == "" {
+		u.AuthData = nil
+	}
+
 	if u.NotifyProps == nil || len(u.NotifyProps) == 0 {
 		u.SetDefaultNotifications()
 	} else if _, ok := u.NotifyProps["mention_keys"]; ok {
@@ -237,7 +245,8 @@ func (u *User) IsAway() bool {
 // Remove any private data from the user object
 func (u *User) Sanitize(options map[string]bool) {
 	u.Password = ""
-	u.AuthData = ""
+	u.AuthData = new(string)
+	*u.AuthData = ""
 	u.MfaSecret = ""

 	if len(options) != 0 && !options["email"] {
@@ -255,7 +264,8 @@ func (u *User) Sanitize(options map[string]bool) {
 func (u *User) ClearNonProfileFields() {
 	u.UpdateAt = 0
 	u.Password = ""
-	u.AuthData = ""
+	u.AuthData = new(string)
+	*u.AuthData = ""
 	u.AuthService = ""
 	u.MfaActive = false
 	u.MfaSecret = ""
@@ -376,7 +386,8 @@ func (u *User) IsLDAPUser() bool {

 func (u *User) PreExport() {
 	u.Password = ""
-	u.AuthData = ""
+	u.AuthData = new(string)
+	*u.AuthData = ""
 	u.LastActivityAt = 0
 	u.LastPingAt = 0
 	u.LastPasswordUpdate = 0
@@ -429,7 +440,7 @@ func HashPassword(password string) string {
 // ComparePassword compares the hash
 func ComparePassword(hash string, password string) bool {

-	if len(password) == 0 {
+	if len(password) == 0 || len(hash) == 0 {
 		return false
 	}

--- a/store/sql_user_store.go
+++ b/store/sql_user_store.go
@@ -29,7 +29,7 @@ func NewSqlUserStore(sqlStore *SqlStore) UserStore {
 		table.ColMap("Id").SetMaxSize(26)
 		table.ColMap("Username").SetMaxSize(64).SetUnique(true)
 		table.ColMap("Password").SetMaxSize(128)
-		table.ColMap("AuthData").SetMaxSize(128)
+		table.ColMap("AuthData").SetMaxSize(128).SetUnique(true)
 		table.ColMap("AuthService").SetMaxSize(32)
 		table.ColMap("Email").SetMaxSize(128).SetUnique(true)
 		table.ColMap("Nickname").SetMaxSize(64)
@@ -265,7 +265,7 @@ func (us SqlUserStore) UpdatePassword(userId, hashedPassword string) StoreChanne

 		updateAt := model.GetMillis()

-		if _, err := us.GetMaster().Exec("UPDATE Users SET Password = :Password, LastPasswordUpdate = :LastPasswordUpdate, UpdateAt = :UpdateAt, AuthData = '', AuthService = '', EmailVerified = true, FailedAttempts = 0 WHERE Id = :UserId", map[string]interface{}{"Password": hashedPassword, "LastPasswordUpdate": updateAt, "UpdateAt": updateAt, "UserId": userId}); err != nil {
+		if _, err := us.GetMaster().Exec("UPDATE Users SET Password = :Password, LastPasswordUpdate = :LastPasswordUpdate, UpdateAt = :UpdateAt, AuthData = NULL, AuthService = '', EmailVerified = true, FailedAttempts = 0 WHERE Id = :UserId", map[string]interface{}{"Password": hashedPassword, "LastPasswordUpdate": updateAt, "UpdateAt": updateAt, "UserId": userId}); err != nil {
 			result.Err = model.NewLocAppError("SqlUserStore.UpdatePassword", "store.sql_user.update_password.app_error", nil, "id="+userId+", "+err.Error())
 		} else {
 			result.Data = userId
@@ -297,7 +297,7 @@ func (us SqlUserStore) UpdateFailedPasswordAttempts(userId string, attempts int)
 	return storeChannel
 }

-func (us SqlUserStore) UpdateAuthData(userId, service, authData, email string) StoreChannel {
+func (us SqlUserStore) UpdateAuthData(userId string, service string, authData *string, email string) StoreChannel {

 	storeChannel := make(StoreChannel)

@@ -513,7 +513,8 @@ func (us SqlUserStore) GetAllProfiles() StoreChannel {

 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}

@@ -564,7 +565,8 @@ func (us SqlUserStore) GetProfiles(teamId string) StoreChannel {

 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}

@@ -623,7 +625,8 @@ func (us SqlUserStore) GetDirectProfiles(userId string) StoreChannel {

 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}

@@ -665,7 +668,8 @@ func (us SqlUserStore) GetProfileByIds(userIds []string) StoreChannel {

 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}

@@ -696,7 +700,8 @@ func (us SqlUserStore) GetSystemAdminProfiles() StoreChannel {

 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}

@@ -734,20 +739,27 @@ func (us SqlUserStore) GetByEmail(email string) StoreChannel {
 	return storeChannel
 }

-func (us SqlUserStore) GetByAuth(authData string, authService string) StoreChannel {
+func (us SqlUserStore) GetByAuth(authData *string, authService string) StoreChannel {

 	storeChannel := make(StoreChannel)

 	go func() {
 		result := StoreResult{}

+		if authData == nil || *authData == "" {
+			result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", MISSING_AUTH_ACCOUNT_ERROR, nil, "authData='', authService="+authService)
+			storeChannel <- result
+			close(storeChannel)
+			return
+		}
+
 		user := model.User{}

 		if err := us.GetReplica().SelectOne(&user, "SELECT * FROM Users WHERE AuthData = :AuthData AND AuthService = :AuthService", map[string]interface{}{"AuthData": authData, "AuthService": authService}); err != nil {
 			if err == sql.ErrNoRows {
-				result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", MISSING_AUTH_ACCOUNT_ERROR, nil, "authData="+authData+", authService="+authService+", "+err.Error())
+				result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", MISSING_AUTH_ACCOUNT_ERROR, nil, "authData="+*authData+", authService="+authService+", "+err.Error())
 			} else {
-				result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", "store.sql_user.get_by_auth.other.app_error", nil, "authData="+authData+", authService="+authService+", "+err.Error())
+				result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", "store.sql_user.get_by_auth.other.app_error", nil, "authData="+*authData+", authService="+authService+", "+err.Error())
 			}
 		}

@@ -857,7 +869,8 @@ func (us SqlUserStore) GetForExport(teamId string) StoreChannel {
 		} else {
 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 			}

 			result.Data = users
--- a/store/sql_user_store_test.go
+++ b/store/sql_user_store_test.go
@@ -458,9 +458,11 @@ func TestUserStoreGetByAuthData(t *testing.T) {

 	teamId := model.NewId()

+	auth := "123" + model.NewId()
+
 	u1 := &model.User{}
 	u1.Email = model.NewId()
-	u1.AuthData = "123" + model.NewId()
+	u1.AuthData = &auth
 	u1.AuthService = "service"
 	Must(store.User().Save(u1))
 	Must(store.Team().SaveMember(&model.TeamMember{TeamId: teamId, UserId: u1.Id}))
@@ -469,7 +471,8 @@ func TestUserStoreGetByAuthData(t *testing.T) {
 		t.Fatal(err)
 	}

-	if err := (<-store.User().GetByAuth("", "")).Err; err == nil {
+	rauth := ""
+	if err := (<-store.User().GetByAuth(&rauth, "")).Err; err == nil {
 		t.Fatal("Should have failed because of missing auth data")
 	}
 }
@@ -497,19 +500,23 @@ func TestUserStoreGetByUsername(t *testing.T) {
 func TestUserStoreGetForLogin(t *testing.T) {
 	Setup()

+	auth := model.NewId()
+
 	u1 := &model.User{
 		Email:       model.NewId(),
 		Username:    model.NewId(),
 		AuthService: model.USER_AUTH_SERVICE_GITLAB,
-		AuthData:    model.NewId(),
+		AuthData:    &auth,
 	}
 	Must(store.User().Save(u1))

+	auth2 := model.NewId()
+
 	u2 := &model.User{
 		Email:       model.NewId(),
 		Username:    model.NewId(),
 		AuthService: model.USER_AUTH_SERVICE_LDAP,
-		AuthData:    model.NewId(),
+		AuthData:    &auth2,
 	}
 	Must(store.User().Save(u2))

@@ -525,14 +532,14 @@ func TestUserStoreGetForLogin(t *testing.T) {
 		t.Fatal("Should have gotten user1 by email")
 	}

-	if result := <-store.User().GetForLogin(u2.AuthData, true, true, true); result.Err != nil {
+	if result := <-store.User().GetForLogin(*u2.AuthData, true, true, true); result.Err != nil {
 		t.Fatal("Should have gotten user by LDAP AuthData", result.Err)
 	} else if result.Data.(*model.User).Id != u2.Id {
 		t.Fatal("Should have gotten user2 by LDAP AuthData")
 	}

 	// prevent getting user by AuthData when they're not an LDAP user
-	if result := <-store.User().GetForLogin(u1.AuthData, true, true, true); result.Err == nil {
+	if result := <-store.User().GetForLogin(*u1.AuthData, true, true, true); result.Err == nil {
 		t.Fatal("Should not have gotten user by non-LDAP AuthData")
 	}

@@ -545,23 +552,26 @@ func TestUserStoreGetForLogin(t *testing.T) {
 		t.Fatal("Should have failed to get user1 by email")
 	}

-	if result := <-store.User().GetForLogin(u2.AuthData, true, true, false); result.Err == nil {
+	if result := <-store.User().GetForLogin(*u2.AuthData, true, true, false); result.Err == nil {
 		t.Fatal("Should have failed to get user3 by LDAP AuthData")
 	}

+	auth3 := model.NewId()
+
 	// test a special case where two users will have conflicting login information so we throw a special error
 	u3 := &model.User{
 		Email:       model.NewId(),
 		Username:    model.NewId(),
 		AuthService: model.USER_AUTH_SERVICE_LDAP,
-		AuthData:    model.NewId(),
+		AuthData:    &auth3,
 	}
 	Must(store.User().Save(u3))
+
 	u4 := &model.User{
 		Email:       model.NewId(),
 		Username:    model.NewId(),
 		AuthService: model.USER_AUTH_SERVICE_LDAP,
-		AuthData:    u3.Username,
+		AuthData:    &u3.Username,
 	}
 	Must(store.User().Save(u4))

@@ -620,9 +630,9 @@ func TestUserStoreUpdateAuthData(t *testing.T) {
 	Must(store.Team().SaveMember(&model.TeamMember{TeamId: teamId, UserId: u1.Id}))

 	service := "someservice"
-	authData := "1"
+	authData := model.NewId()

-	if err := (<-store.User().UpdateAuthData(u1.Id, service, authData, "")).Err; err != nil {
+	if err := (<-store.User().UpdateAuthData(u1.Id, service, &authData, "")).Err; err != nil {
 		t.Fatal(err)
 	}

@@ -633,7 +643,7 @@ func TestUserStoreUpdateAuthData(t *testing.T) {
 		if user.AuthService != service {
 			t.Fatal("AuthService was not updated correctly")
 		}
-		if user.AuthData != authData {
+		if *user.AuthData != authData {
 			t.Fatal("AuthData was not updated correctly")
 		}
 		if user.Password != "" {
--- a/store/store.go
+++ b/store/store.go
@@ -126,7 +126,7 @@ type UserStore interface {
 	UpdateLastActivityAt(userId string, time int64) StoreChannel
 	UpdateUserAndSessionActivity(userId string, sessionId string, time int64) StoreChannel
 	UpdatePassword(userId, newPassword string) StoreChannel
-	UpdateAuthData(userId, service, authData, email string) StoreChannel
+	UpdateAuthData(userId string, service string, authData *string, email string) StoreChannel
 	UpdateMfaSecret(userId, secret string) StoreChannel
 	UpdateMfaActive(userId string, active bool) StoreChannel
 	Get(id string) StoreChannel
@@ -136,7 +136,7 @@ type UserStore interface {
 	GetDirectProfiles(userId string) StoreChannel
 	GetProfileByIds(userId []string) StoreChannel
 	GetByEmail(email string) StoreChannel
-	GetByAuth(authData string, authService string) StoreChannel
+	GetByAuth(authData *string, authService string) StoreChannel
 	GetByUsername(username string) StoreChannel
 	GetForLogin(loginId string, allowSignInWithUsername, allowSignInWithEmail, ldapEnabled bool) StoreChannel
 	VerifyEmail(userId string) StoreChannel