dex/server/register.go

package server

import (
	"errors"
	"fmt"
	"net/http"
	"net/url"
	"strings"

	"github.com/coreos/dex/connector"
	"github.com/coreos/dex/pkg/log"
	"github.com/coreos/dex/session"
	"github.com/coreos/dex/user"
	"github.com/coreos/dex/user/manager"
	"github.com/coreos/go-oidc/oidc"
)

type formError struct {
	Field string
	Error string
}

type remoteExistsData struct {
	Login string

	Register string
}

type registerTemplateData struct {
	Error        bool
	FormErrors   []formError
	Message      string
	Email        string
	Code         string
	Password     string
	Local        bool
	RemoteExists *remoteExistsData
}

var (
	errToFormErrorMap = map[error]formError{
		user.ErrorInvalidEmail: formError{
			Field: "email",
			Error: "Please enter a valid email",
		},
		user.ErrorInvalidPassword: formError{
			Field: "password",
			Error: "Please enter a valid password",
		},
		user.ErrorDuplicateEmail: formError{
			Field: "email",
			Error: "That email is already in use; please choose another.",
		},
	}
)

func handleRegisterFunc(s *Server, tpl Template) http.HandlerFunc {

	errPage := func(w http.ResponseWriter, msg string, code string, status int) {
		data := registerTemplateData{
			Error:   true,
			Message: msg,
			Code:    code,
		}
		execTemplateWithStatus(w, tpl, data, status)
	}

	internalError := func(w http.ResponseWriter, err error) {
		log.Errorf("Internal Error during registration: %v", err)
		errPage(w, "There was a problem processing your request.", "", http.StatusInternalServerError)
	}

	idx := makeConnectorMap(s.Connectors)

	return func(w http.ResponseWriter, r *http.Request) {
		err := r.ParseForm()
		if err != nil {
			internalError(w, err)
			return
		}

		// verify the user has a valid code.
		key := r.Form.Get("code")
		sessionID, err := s.SessionManager.ExchangeKey(key)
		if err != nil {
			errPage(w, "Please authenticate before registering.", "", http.StatusUnauthorized)
			return
		}

		// create a new code for them to use next time they hit the server.
		code, err := s.SessionManager.NewSessionKey(sessionID)
		if err != nil {
			internalError(w, err)
			return
		}
		ses, err := s.SessionManager.Get(sessionID)
		if err != nil || ses == nil {
			return
		}

		var exists bool
		exists, err = remoteIdentityExists(s.UserRepo, ses.ConnectorID, ses.Identity.ID)
		if err != nil {
			internalError(w, err)
			return
		}

		if exists {
			// we have to create a new session to be able to run the server.Login function
			newSessionKey, err := s.NewSession(ses.ConnectorID, ses.ClientID,
				ses.ClientState, ses.RedirectURL, ses.Nonce, false, ses.Scope)
			if err != nil {
				internalError(w, err)
				return
			}
			// make sure to clean up the old session
			if err = s.KillSession(code); err != nil {
				internalError(w, err)
			}

			// finally, we can create a valid redirect URL for them.
			redirURL, err := s.Login(ses.Identity, newSessionKey)
			if err != nil {
				internalError(w, err)
				return
			}

			registerURL := newLoginURLFromSession(
				s.IssuerURL, ses, true, []string{}, "")

			execTemplate(w, tpl, registerTemplateData{
				RemoteExists: &remoteExistsData{
					Login:    redirURL,
					Register: registerURL.String(),
				},
			})

			return
		}

		// determine whether or not this is a local or remote ID that is going
		// to be registered.
		idpc, ok := idx[ses.ConnectorID]
		if !ok {
			internalError(w, fmt.Errorf("no such IDPC: %v", ses.ConnectorID))
			return
		}
		_, local := idpc.(*connector.LocalConnector)

		// Does the email comes from a trusted provider?
		trustedEmail := ses.Identity.Email != "" && idpc.TrustedEmailProvider()
		validate := r.Form.Get("validate") == "1"
		formErrors := []formError{}
		email := strings.TrimSpace(r.Form.Get("email"))

		// only auto-populate the first time the page is GETted, not on
		// subsequent POSTs
		if email == "" && r.Method == "GET" {
			email = ses.Identity.Email
		}

		password := r.Form.Get("password")
		if validate {
			if email == "" || !user.ValidEmail(email) {
				formErrors = append(formErrors, formError{"email", "Please supply a valid email"})
			}
			if local && password == "" {
				formErrors = append(formErrors, formError{"password", "Please supply a valid password"})
			}
		}

		data := registerTemplateData{
			Code:     code,
			Email:    email,
			Password: password,
			Local:    local,
		}

		// If there are form errors or this is the initial request
		// (i.e. validate==false), and we are not going to auto-submit a
		// trusted email, then show the form.
		if (len(formErrors) > 0 || !validate) && !trustedEmail {
			data.FormErrors = formErrors
			if !validate {
				execTemplate(w, tpl, data)
			} else {
				execTemplateWithStatus(w, tpl, data, http.StatusBadRequest)
			}
			return
		}

		var userID string
		if local {
			userID, err = registerFromLocalConnector(
				s.UserManager,
				s.SessionManager,
				ses,
				email, password)
		} else {
			if trustedEmail {
				// in the case of a trusted email provider, make sure we are
				// getting the email address from the session, not from the
				// query string, to prevent forgeries.
				email = ses.Identity.Email
			}
			userID, err = registerFromRemoteConnector(
				s.UserManager,
				ses,
				email,
				trustedEmail)
		}
		if err == user.ErrorDuplicateEmail {
			// In this case, the user probably just forgot that they registered.
			connID, err := getConnectorForUserByEmail(s.UserRepo, email)
			if err != nil {
				internalError(w, err)
			}
			loginURL := newLoginURLFromSession(
				s.IssuerURL, ses, false, []string{connID}, "login-maybe")
			if err = s.KillSession(code); err != nil {
				log.Errorf("Error killing session: %v", err)
			}
			http.Redirect(w, r, loginURL.String(), http.StatusSeeOther)
			return
		}

		if err != nil {
			formErrors := errToFormErrors(err)
			if len(formErrors) > 0 {
				data.FormErrors = formErrors
				execTemplate(w, tpl, data)
				return
			}
			if err == user.ErrorDuplicateRemoteIdentity {
				errPage(w, "You already registered an account with this identity", "", http.StatusConflict)
				return
			}
			internalError(w, err)
			return
		}
		ses, err = s.SessionManager.AttachUser(sessionID, userID)
		if err != nil {
			internalError(w, err)
			return
		}

		usr, err := s.UserRepo.Get(nil, userID)
		if err != nil {
			internalError(w, err)
			return
		}

		if !trustedEmail {
			_, err = s.UserEmailer.SendEmailVerification(usr.ID, ses.ClientID, ses.RedirectURL)

			if err != nil {
				log.Errorf("Error sending email verification: %v", err)
			}
		}

		w.Header().Set("Location", makeClientRedirectURL(
			ses.RedirectURL, code, ses.ClientState).String())
		w.WriteHeader(http.StatusSeeOther)
		return
	}
}

func makeClientRedirectURL(baseRedirURL url.URL, code, clientState string) *url.URL {
	ru := baseRedirURL
	q := ru.Query()
	q.Set("code", code)
	q.Set("state", clientState)
	ru.RawQuery = q.Encode()
	return &ru
}

func registerFromLocalConnector(userManager *manager.UserManager, sessionManager *session.SessionManager, ses *session.Session, email, password string) (string, error) {
	userID, err := userManager.RegisterWithPassword(email, password, ses.ConnectorID)
	if err != nil {
		return "", err
	}

	ses, err = sessionManager.AttachRemoteIdentity(ses.ID, oidc.Identity{
		ID: userID,
	})
	if err != nil {
		return "", err
	}
	return userID, nil
}

func registerFromRemoteConnector(userManager *manager.UserManager, ses *session.Session, email string, emailVerified bool) (string, error) {
	if ses.Identity.ID == "" {
		return "", errors.New("No Identity found in session.")
	}
	rid := user.RemoteIdentity{
		ConnectorID: ses.ConnectorID,
		ID:          ses.Identity.ID,
	}
	userID, err := userManager.RegisterWithRemoteIdentity(email, emailVerified, rid)
	if err != nil {
		return "", err
	}

	return userID, nil
}

func errToFormErrors(err error) []formError {
	fes := []formError{}
	fe, ok := errToFormErrorMap[err]
	if ok {
		fes = append(fes, fe)
	}
	return fes
}

func getConnectorForUserByEmail(ur user.UserRepo, email string) (string, error) {
	usr, err := ur.GetByEmail(nil, email)
	if err != nil {
		return "", err
	}

	rids, err := ur.GetRemoteIdentities(nil, usr.ID)
	if err != nil {
		return "", err
	}

	if len(rids) == 0 {
		return "", fmt.Errorf("No remote Identities for user %v", usr.ID)
	}

	return rids[0].ConnectorID, nil
}

func newLoginURLFromSession(issuer url.URL, ses *session.Session, register bool, connectorFilter []string, msgCode string) *url.URL {
	loginURL := issuer
	v := loginURL.Query()
	loginURL.Path = httpPathAuth
	v.Set("redirect_uri", ses.RedirectURL.String())
	v.Set("state", ses.ClientState)
	v.Set("client_id", ses.ClientID)
	if register {
		v.Set("register", "1")
	}
	if len(connectorFilter) > 0 {
		v.Set("show_connectors", strings.Join(connectorFilter, ","))
	}
	if msgCode != "" {
		v.Set("msg_code", msgCode)
	}
	if len(ses.Scope) > 0 {
		v.Set("scope", strings.Join(ses.Scope, " "))
	}

	loginURL.RawQuery = v.Encode()
	return &loginURL
}

func remoteIdentityExists(ur user.UserRepo, connectorID, id string) (bool, error) {
	_, err := ur.GetByRemoteIdentity(nil, user.RemoteIdentity{
		ConnectorID: connectorID,
		ID:          id,
	})

	if err == user.ErrorNotFound {
		return false, nil
	}

	if err == nil {
		return true, nil
	}

	return false, err
}
*: move original project to dex 2015-08-18 05:57:27 +05:30			`package server`

			`import (`
			`"errors"`
			`"fmt"`
			`"net/http"`
			`"net/url"`
			`"strings"`

			`"github.com/coreos/dex/connector"`
			`"github.com/coreos/dex/pkg/log"`
			`"github.com/coreos/dex/session"`
			`"github.com/coreos/dex/user"`
user: move user manager to it's own package This commit moves the user.Manage to its own package (user/manager) so it can import the connector package in a later commit. For clarity, it renames "Manager" to "UserManager" using gorname. This commit has no functional changes. 2015-12-08 04:59:58 +05:30			`"github.com/coreos/dex/user/manager"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`"github.com/coreos/go-oidc/oidc"`
			`)`

			`type formError struct {`
			`Field string`
			`Error string`
			`}`

server: better UX when remote ID already exists Instead of cryptic message with nowhere to, give them the choice to login with that account or register. 2015-12-24 00:18:20 +05:30			`type remoteExistsData struct {`
			`Login string`

			`Register string`
			`}`

*: move original project to dex 2015-08-18 05:57:27 +05:30			`type registerTemplateData struct {`
server: better UX when remote ID already exists Instead of cryptic message with nowhere to, give them the choice to login with that account or register. 2015-12-24 00:18:20 +05:30			`Error bool`
			`FormErrors []formError`
			`Message string`
			`Email string`
			`Code string`
			`Password string`
			`Local bool`
			`RemoteExists *remoteExistsData`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

			`var (`
			`errToFormErrorMap = map[error]formError{`
			`user.ErrorInvalidEmail: formError{`
			`Field: "email",`
			`Error: "Please enter a valid email",`
			`},`
			`user.ErrorInvalidPassword: formError{`
			`Field: "password",`
			`Error: "Please enter a valid password",`
			`},`
			`user.ErrorDuplicateEmail: formError{`
			`Field: "email",`
			`Error: "That email is already in use; please choose another.",`
			`},`
			`}`
			`)`

server: better UX when remote ID already exists Instead of cryptic message with nowhere to, give them the choice to login with that account or register. 2015-12-24 00:18:20 +05:30			`func handleRegisterFunc(s *Server, tpl Template) http.HandlerFunc {`
*: move original project to dex 2015-08-18 05:57:27 +05:30
			`errPage := func(w http.ResponseWriter, msg string, code string, status int) {`
			`data := registerTemplateData{`
			`Error: true,`
			`Message: msg,`
			`Code: code,`
			`}`
			`execTemplateWithStatus(w, tpl, data, status)`
			`}`

			`internalError := func(w http.ResponseWriter, err error) {`
			`log.Errorf("Internal Error during registration: %v", err)`
			`errPage(w, "There was a problem processing your request.", "", http.StatusInternalServerError)`
			`}`

			`idx := makeConnectorMap(s.Connectors)`

			`return func(w http.ResponseWriter, r *http.Request) {`
			`err := r.ParseForm()`
			`if err != nil {`
			`internalError(w, err)`
			`return`
			`}`

			`// verify the user has a valid code.`
			`key := r.Form.Get("code")`
			`sessionID, err := s.SessionManager.ExchangeKey(key)`
			`if err != nil {`
			`errPage(w, "Please authenticate before registering.", "", http.StatusUnauthorized)`
			`return`
			`}`

			`// create a new code for them to use next time they hit the server.`
			`code, err := s.SessionManager.NewSessionKey(sessionID)`
			`if err != nil {`
			`internalError(w, err)`
			`return`
			`}`
			`ses, err := s.SessionManager.Get(sessionID)`
			`if err != nil \|\| ses == nil {`
			`return`
			`}`

server: better UX when remote ID already exists Instead of cryptic message with nowhere to, give them the choice to login with that account or register. 2015-12-24 00:18:20 +05:30			`var exists bool`
			`exists, err = remoteIdentityExists(s.UserRepo, ses.ConnectorID, ses.Identity.ID)`
			`if err != nil {`
			`internalError(w, err)`
			`return`
			`}`

			`if exists {`
			`// we have to create a new session to be able to run the server.Login function`
			`newSessionKey, err := s.NewSession(ses.ConnectorID, ses.ClientID,`
			`ses.ClientState, ses.RedirectURL, ses.Nonce, false, ses.Scope)`
			`if err != nil {`
			`internalError(w, err)`
			`return`
			`}`
			`// make sure to clean up the old session`
			`if err = s.KillSession(code); err != nil {`
			`internalError(w, err)`
			`}`

			`// finally, we can create a valid redirect URL for them.`
			`redirURL, err := s.Login(ses.Identity, newSessionKey)`
			`if err != nil {`
			`internalError(w, err)`
			`return`
			`}`

			`registerURL := newLoginURLFromSession(`
			`s.IssuerURL, ses, true, []string{}, "")`

			`execTemplate(w, tpl, registerTemplateData{`
			`RemoteExists: &remoteExistsData{`
			`Login: redirURL,`
			`Register: registerURL.String(),`
			`},`
			`})`

			`return`
			`}`

*: move original project to dex 2015-08-18 05:57:27 +05:30			`// determine whether or not this is a local or remote ID that is going`
			`// to be registered.`
			`idpc, ok := idx[ses.ConnectorID]`
			`if !ok {`
			`internalError(w, fmt.Errorf("no such IDPC: %v", ses.ConnectorID))`
			`return`
			`}`
			`_, local := idpc.(*connector.LocalConnector)`

			`// Does the email comes from a trusted provider?`
			`trustedEmail := ses.Identity.Email != "" && idpc.TrustedEmailProvider()`
			`validate := r.Form.Get("validate") == "1"`
			`formErrors := []formError{}`
registration: trim spaces and sanity check user email from form When a user attempts to register an email, trim prefixed and trailing spaces, then perform a basic sanity check to ensure it's of form "test@example.com". Fixes #163 2015-12-01 05:20:55 +05:30			`email := strings.TrimSpace(r.Form.Get("email"))`
*: move original project to dex 2015-08-18 05:57:27 +05:30
			`// only auto-populate the first time the page is GETted, not on`
			`// subsequent POSTs`
			`if email == "" && r.Method == "GET" {`
			`email = ses.Identity.Email`
			`}`

			`password := r.Form.Get("password")`
			`if validate {`
registration: trim spaces and sanity check user email from form When a user attempts to register an email, trim prefixed and trailing spaces, then perform a basic sanity check to ensure it's of form "test@example.com". Fixes #163 2015-12-01 05:20:55 +05:30			`if email == "" \|\| !user.ValidEmail(email) {`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`formErrors = append(formErrors, formError{"email", "Please supply a valid email"})`
			`}`
			`if local && password == "" {`
			`formErrors = append(formErrors, formError{"password", "Please supply a valid password"})`
			`}`
			`}`

			`data := registerTemplateData{`
			`Code: code,`
			`Email: email,`
			`Password: password,`
			`Local: local,`
			`}`

			`// If there are form errors or this is the initial request`
			`// (i.e. validate==false), and we are not going to auto-submit a`
			`// trusted email, then show the form.`
			`if (len(formErrors) > 0 \|\| !validate) && !trustedEmail {`
			`data.FormErrors = formErrors`
			`if !validate {`
			`execTemplate(w, tpl, data)`
			`} else {`
			`execTemplateWithStatus(w, tpl, data, http.StatusBadRequest)`
			`}`
			`return`
			`}`

			`var userID string`
			`if local {`
			`userID, err = registerFromLocalConnector(`
			`s.UserManager,`
			`s.SessionManager,`
			`ses,`
			`email, password)`
			`} else {`
			`if trustedEmail {`
			`// in the case of a trusted email provider, make sure we are`
			`// getting the email address from the session, not from the`
			`// query string, to prevent forgeries.`
			`email = ses.Identity.Email`
			`}`
			`userID, err = registerFromRemoteConnector(`
			`s.UserManager,`
			`ses,`
			`email,`
			`trustedEmail)`
			`}`
			`if err == user.ErrorDuplicateEmail {`
			`// In this case, the user probably just forgot that they registered.`
			`connID, err := getConnectorForUserByEmail(s.UserRepo, email)`
			`if err != nil {`
			`internalError(w, err)`
			`}`
			`loginURL := newLoginURLFromSession(`
			`s.IssuerURL, ses, false, []string{connID}, "login-maybe")`
			`if err = s.KillSession(code); err != nil {`
			`log.Errorf("Error killing session: %v", err)`
			`}`
			`http.Redirect(w, r, loginURL.String(), http.StatusSeeOther)`
server: better UX when remote ID already exists Instead of cryptic message with nowhere to, give them the choice to login with that account or register. 2015-12-24 00:18:20 +05:30			`return`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

			`if err != nil {`
			`formErrors := errToFormErrors(err)`
			`if len(formErrors) > 0 {`
			`data.FormErrors = formErrors`
			`execTemplate(w, tpl, data)`
			`return`
*: Remove unnecessary else statements Whenever it makes the code easier to follow, use early return to avoid else statements. 2015-09-05 01:15:32 +05:30			`}`
			`if err == user.ErrorDuplicateRemoteIdentity {`
			`errPage(w, "You already registered an account with this identity", "", http.StatusConflict)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`return`
			`}`
*: Remove unnecessary else statements Whenever it makes the code easier to follow, use early return to avoid else statements. 2015-09-05 01:15:32 +05:30			`internalError(w, err)`
			`return`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`
			`ses, err = s.SessionManager.AttachUser(sessionID, userID)`
			`if err != nil {`
			`internalError(w, err)`
			`return`
			`}`

			`usr, err := s.UserRepo.Get(nil, userID)`
			`if err != nil {`
			`internalError(w, err)`
			`return`
			`}`

			`if !trustedEmail {`
			`_, err = s.UserEmailer.SendEmailVerification(usr.ID, ses.ClientID, ses.RedirectURL)`

			`if err != nil {`
			`log.Errorf("Error sending email verification: %v", err)`
			`}`
			`}`

server: better UX when remote ID already exists Instead of cryptic message with nowhere to, give them the choice to login with that account or register. 2015-12-24 00:18:20 +05:30			`w.Header().Set("Location", makeClientRedirectURL(`
			`ses.RedirectURL, code, ses.ClientState).String())`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`w.WriteHeader(http.StatusSeeOther)`
			`return`
			`}`
			`}`

server: better UX when remote ID already exists Instead of cryptic message with nowhere to, give them the choice to login with that account or register. 2015-12-24 00:18:20 +05:30			`func makeClientRedirectURL(baseRedirURL url.URL, code, clientState string) *url.URL {`
			`ru := baseRedirURL`
			`q := ru.Query()`
			`q.Set("code", code)`
			`q.Set("state", clientState)`
			`ru.RawQuery = q.Encode()`
			`return &ru`
			`}`

user: move user manager to it's own package This commit moves the user.Manage to its own package (user/manager) so it can import the connector package in a later commit. For clarity, it renames "Manager" to "UserManager" using gorname. This commit has no functional changes. 2015-12-08 04:59:58 +05:30			`func registerFromLocalConnector(userManager manager.UserManager, sessionManager session.SessionManager, ses *session.Session, email, password string) (string, error) {`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`userID, err := userManager.RegisterWithPassword(email, password, ses.ConnectorID)`
			`if err != nil {`
			`return "", err`
			`}`

			`ses, err = sessionManager.AttachRemoteIdentity(ses.ID, oidc.Identity{`
			`ID: userID,`
			`})`
			`if err != nil {`
			`return "", err`
			`}`
			`return userID, nil`
			`}`

user: move user manager to it's own package This commit moves the user.Manage to its own package (user/manager) so it can import the connector package in a later commit. For clarity, it renames "Manager" to "UserManager" using gorname. This commit has no functional changes. 2015-12-08 04:59:58 +05:30			`func registerFromRemoteConnector(userManager manager.UserManager, ses session.Session, email string, emailVerified bool) (string, error) {`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if ses.Identity.ID == "" {`
			`return "", errors.New("No Identity found in session.")`
			`}`
			`rid := user.RemoteIdentity{`
			`ConnectorID: ses.ConnectorID,`
			`ID: ses.Identity.ID,`
			`}`
			`userID, err := userManager.RegisterWithRemoteIdentity(email, emailVerified, rid)`
			`if err != nil {`
			`return "", err`
			`}`

			`return userID, nil`
			`}`

			`func errToFormErrors(err error) []formError {`
			`fes := []formError{}`
			`fe, ok := errToFormErrorMap[err]`
			`if ok {`
			`fes = append(fes, fe)`
			`}`
			`return fes`
			`}`

			`func getConnectorForUserByEmail(ur user.UserRepo, email string) (string, error) {`
			`usr, err := ur.GetByEmail(nil, email)`
			`if err != nil {`
			`return "", err`
			`}`

			`rids, err := ur.GetRemoteIdentities(nil, usr.ID)`
			`if err != nil {`
			`return "", err`
			`}`

			`if len(rids) == 0 {`
			`return "", fmt.Errorf("No remote Identities for user %v", usr.ID)`
			`}`

			`return rids[0].ConnectorID, nil`
			`}`

			`func newLoginURLFromSession(issuer url.URL, ses session.Session, register bool, connectorFilter []string, msgCode string) url.URL {`
			`loginURL := issuer`
			`v := loginURL.Query()`
			`loginURL.Path = httpPathAuth`
			`v.Set("redirect_uri", ses.RedirectURL.String())`
			`v.Set("state", ses.ClientState)`
			`v.Set("client_id", ses.ClientID)`
			`if register {`
			`v.Set("register", "1")`
			`}`
			`if len(connectorFilter) > 0 {`
			`v.Set("show_connectors", strings.Join(connectorFilter, ","))`
			`}`
			`if msgCode != "" {`
			`v.Set("msg_code", msgCode)`
			`}`
server: add scope to newLoginURLFromSession need to make sure the scope is present otherwise will be considered an invalid request fixes #135 2015-11-19 00:46:35 +05:30			`if len(ses.Scope) > 0 {`
			`v.Set("scope", strings.Join(ses.Scope, " "))`
			`}`
*: move original project to dex 2015-08-18 05:57:27 +05:30
			`loginURL.RawQuery = v.Encode()`
			`return &loginURL`
			`}`
server: better UX when remote ID already exists Instead of cryptic message with nowhere to, give them the choice to login with that account or register. 2015-12-24 00:18:20 +05:30
			`func remoteIdentityExists(ur user.UserRepo, connectorID, id string) (bool, error) {`
			`_, err := ur.GetByRemoteIdentity(nil, user.RemoteIdentity{`
			`ConnectorID: connectorID,`
			`ID: id,`
			`})`

			`if err == user.ErrorNotFound {`
			`return false, nil`
			`}`

			`if err == nil {`
			`return true, nil`
			`}`

			`return false, err`
			`}`