12 files changed, 122 insertions, 56 deletions

diff --git a/api/admin_test.go b/api/admin_test.go
index 933c3d59c..f3d3ec4ed 100644
--- a/api/admin_test.go
+++ b/api/admin_test.go
@@ -457,7 +457,8 @@ func TestAdminResetPassword(t *testing.T) {
 		t.Fatal("Should have errored - password too short")
 	}
 
-	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
+	authData := model.NewId()
+	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: &authData, AuthService: "random"}
 	user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
 	LinkUserToTeam(user2, team)
 	store.Must(Srv.Store.User().VerifyEmail(user2.Id))
diff --git a/api/authentication.go b/api/authentication.go
index 10ed578e1..9243947ad 100644
--- a/api/authentication.go
+++ b/api/authentication.go
@@ -39,17 +39,17 @@ func checkUserPassword(user *model.User, password string) *model.AppError {
 	}
 }
 
-func checkLdapUserPasswordAndAllCriteria(ldapId, password, mfaToken string) (*model.User, *model.AppError) {
+func checkLdapUserPasswordAndAllCriteria(ldapId *string, password string, mfaToken string) (*model.User, *model.AppError) {
 	ldapInterface := einterfaces.GetLdapInterface()
 
-	if ldapInterface == nil {
+	if ldapInterface == nil || ldapId == nil {
 		err := model.NewLocAppError("doLdapAuthentication", "api.user.login_ldap.not_available.app_error", nil, "")
 		err.StatusCode = http.StatusNotImplemented
 		return nil, err
 	}
 
 	var user *model.User
-	if ldapUser, err := ldapInterface.DoLogin(ldapId, password); err != nil {
+	if ldapUser, err := ldapInterface.DoLogin(*ldapId, password); err != nil {
 		err.StatusCode = http.StatusUnauthorized
 		return nil, err
 	} else {
diff --git a/api/oauth.go b/api/oauth.go
index 0375f4e6f..37ca5ce0a 100644
--- a/api/oauth.go
+++ b/api/oauth.go
@@ -600,8 +600,11 @@ func CompleteSwitchWithOAuth(c *Context, w http.ResponseWriter, r *http.Request,
 		return
 	} else {
 		ssoUser := provider.GetUserFromJson(userData)
-		authData = ssoUser.AuthData
 		ssoEmail = ssoUser.Email
+
+		if ssoUser.AuthData != nil {
+			authData = *ssoUser.AuthData
+		}
 	}
 
 	if len(authData) == 0 {
@@ -628,7 +631,7 @@ func CompleteSwitchWithOAuth(c *Context, w http.ResponseWriter, r *http.Request,
 		return
 	}
 
-	if result := <-Srv.Store.User().UpdateAuthData(user.Id, service, authData, ssoEmail); result.Err != nil {
+	if result := <-Srv.Store.User().UpdateAuthData(user.Id, service, &authData, ssoEmail); result.Err != nil {
 		c.Err = result.Err
 		return
 	}
diff --git a/api/user.go b/api/user.go
index c53a643c7..4b9c3a3c8 100644
--- a/api/user.go
+++ b/api/user.go
@@ -535,7 +535,7 @@ func LoginByOAuth(c *Context, w http.ResponseWriter, r *http.Request, service st
 	}
 
 	var user *model.User
-	if result := <-Srv.Store.User().GetByAuth(authData, service); result.Err != nil {
+	if result := <-Srv.Store.User().GetByAuth(&authData, service); result.Err != nil {
 		if result.Err.Id == store.MISSING_AUTH_ACCOUNT_ERROR {
 			return CreateOAuthUser(c, w, r, service, bytes.NewReader(buf.Bytes()), "")
 		}
@@ -1289,7 +1289,8 @@ func updateUser(c *Context, w http.ResponseWriter, r *http.Request) {
 		}
 
 		rusers[0].Password = ""
-		rusers[0].AuthData = ""
+		rusers[0].AuthData = new(string)
+		*rusers[0].AuthData = ""
 		w.Write([]byte(rusers[0].ToJson()))
 	}
 }
@@ -1337,7 +1338,7 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	user := result.Data.(*model.User)
 
-	if user.AuthData != "" {
+	if user.AuthData != nil && *user.AuthData != "" {
 		c.LogAudit("failed - tried to update user password who was logged in through oauth")
 		c.Err = model.NewLocAppError("updatePassword", "api.user.update_password.oauth.app_error", nil, "auth_service="+user.AuthService)
 		c.Err.StatusCode = http.StatusBadRequest
@@ -1653,7 +1654,7 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) {
 		user = result.Data.(*model.User)
 	}
 
-	if len(user.AuthData) != 0 {
+	if user.AuthData != nil && len(*user.AuthData) != 0 {
 		c.Err = model.NewLocAppError("sendPasswordReset", "api.user.send_password_reset.sso.app_error", nil, "userId="+user.Id)
 		return
 	}
@@ -1749,7 +1750,7 @@ func ResetPassword(c *Context, userId, newPassword string) *model.AppError {
 		user = result.Data.(*model.User)
 	}
 
-	if len(user.AuthData) != 0 && !c.IsSystemAdmin() {
+	if user.AuthData != nil && len(*user.AuthData) != 0 && !c.IsSystemAdmin() {
 		return model.NewLocAppError("ResetPassword", "api.user.reset_password.sso.app_error", nil, "userId="+user.Id)
 
 	}
@@ -2148,13 +2149,13 @@ func ldapToEmail(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 	ldapInterface := einterfaces.GetLdapInterface()
-	if ldapInterface == nil {
+	if ldapInterface == nil || user.AuthData == nil {
 		c.Err = model.NewLocAppError("ldapToEmail", "api.user.ldap_to_email.not_available.app_error", nil, "")
 		c.Err.StatusCode = http.StatusNotImplemented
 		return
 	}
 
-	if err := ldapInterface.CheckPassword(user.AuthData, ldapPassword); err != nil {
+	if err := ldapInterface.CheckPassword(*user.AuthData, ldapPassword); err != nil {
 		c.LogAuditWithUserId(user.Id, "fail - ldap authentication failed")
 		c.Err = err
 		return
diff --git a/api/user_test.go b/api/user_test.go
index 9dd57dc20..c34d32c11 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -1109,7 +1109,8 @@ func TestSendPasswordReset(t *testing.T) {
 		t.Fatal("Should have errored - bad email")
 	}
 
-	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: "1", AuthService: "random"}
+	authData := model.NewId()
+	user2 := &model.User{Email: strings.ToLower(model.NewId()) + "success+test@simulator.amazonses.com", Nickname: "Corey Hulen", AuthData: &authData, AuthService: "random"}
 	user2 = Client.Must(Client.CreateUser(user2, "")).Data.(*model.User)
 	LinkUserToTeam(user2, team)
 	store.Must(Srv.Store.User().VerifyEmail(user2.Id))
@@ -1178,7 +1179,8 @@ func TestResetPassword(t *testing.T) {
 		recovery = result.Data.(*model.PasswordRecovery)
 	}
 
-	if result := <-Srv.Store.User().UpdateAuthData(user.Id, "random", "1", ""); result.Err != nil {
+	authData := model.NewId()
+	if result := <-Srv.Store.User().UpdateAuthData(user.Id, "random", &authData, ""); result.Err != nil {
 		t.Fatal(result.Err)
 	}
 
diff --git a/i18n/en.json b/i18n/en.json
index 432279c23..cfa8eaf56 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -1337,7 +1337,7 @@
   },
   {
     "id": "api.templates.upgrade_30_body.info",
-    "translation": "<h3 style='font-weight: normal; margin-top: 10px;'>YOUR DUPLICATE ACCOUNTS HAVE BEEN UPDATED</h3>Your Mattermost server is being upgraded to Version 3.0, which lets you use a single account across multiple teams.<br/><br/>You are receiving this email because the upgrade process has detected your account had the same email or username as other accounts on the server.<br/><br/>The following updates have been made: <br/><br/>{{if .EmailChanged }}- The duplicate email of an account on the `/{{.TeamName}}` team was changed to `{{.Email}}`. If you use email and password to login, you can use this new email address for login.<br/><br/>{{end}}{{if .UsernameChanged }}- The duplicate username of an account on the team site `/{{.TeamName}}` has been changed to `{{.Username}}` to avoid confusion with other accounts.<br/><br/>{{end}} RECOMMENDED ACTION: <br/><br/>It is recommended that you login to your teams used by your duplicate accounts and add your primary account to the team and any public channels and private groups which you wish to continue using. <br/><br/>This gives your primary account access to all public channel and private group history. You can continue to access the direct message history of your duplicate accounts by logging in with their credentials. <br/><br/>FOR MORE INFORMATION: <br/><br/>For more information on the upgrade to Mattermost 3.0 please see: <a href='http://www.mattermost.org/upgrading-to-mattermost-3-0/'>http://www.mattermost.org/upgrading-to-mattermost-3-0/</a><br/><br/>"
+    "translation": "<h3 style='font-weight: normal; margin-top: 10px;'>YOUR DUPLICATE ACCOUNTS HAVE BEEN UPDATED</h3>Your Mattermost server is being upgraded to Version 3.0, which lets you use a single account across multiple teams.<br/><br/>You are receiving this email because the upgrade process has detected your account had the same email or username as other accounts on the server.<br/><br/>The following updates have been made: <br/><br/>{{if .EmailChanged }}- The duplicate email of an account on the `/{{.TeamName}}` team was changed to `{{.Email}}`. You will need to use email and password to login, you can use this new email address for login.<br/><br/>{{end}}{{if .UsernameChanged }}- The duplicate username of an account on the team site `/{{.TeamName}}` has been changed to `{{.Username}}` to avoid confusion with other accounts.<br/><br/>{{end}} RECOMMENDED ACTION: <br/><br/>It is recommended that you login to your teams used by your duplicate accounts and add your primary account to the team and any public channels and private groups which you wish to continue using. <br/><br/>This gives your primary account access to all public channel and private group history. You can continue to access the direct message history of your duplicate accounts by logging in with their credentials. <br/><br/>FOR MORE INFORMATION: <br/><br/>For more information on the upgrade to Mattermost 3.0 please see: <a href='http://www.mattermost.org/upgrading-to-mattermost-3-0/'>http://www.mattermost.org/upgrading-to-mattermost-3-0/</a><br/><br/>"
   },
   {
     "id": "api.templates.upgrade_30_subject.info",
diff --git a/mattermost.go b/mattermost.go
index be9b08a95..6fe285d58 100644
--- a/mattermost.go
+++ b/mattermost.go
@@ -373,14 +373,15 @@ func cmdUpdateDb30() {
 
 		uniqueEmails := make(map[string]bool)
 		uniqueUsernames := make(map[string]bool)
-		primaryUsers := convertTeamTo30(team.Name, team, uniqueEmails, uniqueUsernames)
+		uniqueAuths := make(map[string]bool)
+		primaryUsers := convertTeamTo30(team.Name, team, uniqueEmails, uniqueUsernames, uniqueAuths)
 
 		l4g.Info("Upgraded %v users", len(primaryUsers))
 
 		for _, otherTeam := range teams {
 			if otherTeam.Id != team.Id {
 				l4g.Info("Upgrading team %v", otherTeam.Name)
-				users := convertTeamTo30(team.Name, otherTeam, uniqueEmails, uniqueUsernames)
+				users := convertTeamTo30(team.Name, otherTeam, uniqueEmails, uniqueUsernames, uniqueAuths)
 				l4g.Info("Upgraded %v users", len(users))
 
 			}
@@ -400,6 +401,18 @@ func cmdUpdateDb30() {
 			flushLogAndExit(1)
 		}
 
+		if _, err := store.GetMaster().Exec(`
+				UPDATE Users 
+				SET 
+				    AuthData = NULL
+				WHERE
+				    AuthData = ''
+				`,
+		); err != nil {
+			l4g.Error("Failed to update AuthData types details=%v", err)
+			flushLogAndExit(1)
+		}
+
 		extraLength := store.GetMaxLengthOfColumnIfExists("Audits", "ExtraInfo")
 		if len(extraLength) > 0 && extraLength != "1024" {
 			store.AlterColumnTypeIfExists("Audits", "ExtraInfo", "VARCHAR(1024)", "VARCHAR(1024)")
@@ -424,6 +437,7 @@ func cmdUpdateDb30() {
 			store.RemoveIndexIfExists("idx_users_team_id", "Users")
 			store.CreateUniqueIndexIfNotExists("idx_users_email_unique", "Users", "Email")
 			store.CreateUniqueIndexIfNotExists("idx_users_username_unique", "Users", "Username")
+			store.CreateUniqueIndexIfNotExists("idx_users_authdata_unique", "Users", "AuthData")
 			store.RemoveColumnIfExists("Teams", "AllowTeamListing")
 			store.RemoveColumnIfExists("Users", "TeamId")
 		}
@@ -448,12 +462,13 @@ type UserForUpgrade struct {
 	Email    string
 	Roles    string
 	TeamId   string
+	AuthData *string
 }
 
-func convertTeamTo30(primaryTeamName string, team *TeamForUpgrade, uniqueEmails map[string]bool, uniqueUsernames map[string]bool) []*UserForUpgrade {
+func convertTeamTo30(primaryTeamName string, team *TeamForUpgrade, uniqueEmails map[string]bool, uniqueUsernames map[string]bool, uniqueAuths map[string]bool) []*UserForUpgrade {
 	store := api.Srv.Store.(*store.SqlStore)
 	var users []*UserForUpgrade
-	if _, err := store.GetMaster().Select(&users, "SELECT Users.Id, Users.Username, Users.Email, Users.Roles, Users.TeamId FROM Users WHERE Users.TeamId = :TeamId", map[string]interface{}{"TeamId": team.Id}); err != nil {
+	if _, err := store.GetMaster().Select(&users, "SELECT Users.Id, Users.Username, Users.Email, Users.Roles, Users.TeamId, Users.AuthData FROM Users WHERE Users.TeamId = :TeamId", map[string]interface{}{"TeamId": team.Id}); err != nil {
 		l4g.Error("Failed to load profiles for team details=%v", err)
 		flushLogAndExit(1)
 	}
@@ -530,13 +545,19 @@ func convertTeamTo30(primaryTeamName string, team *TeamForUpgrade, uniqueEmails
 			}
 		}
 
+		if user.AuthData != nil && *user.AuthData != "" && uniqueAuths[*user.AuthData] {
+			shouldUpdateUser = true
+		}
+
 		if shouldUpdateUser {
 			if _, err := store.GetMaster().Exec(`
 				UPDATE Users 
 				SET 
 				    Email = :Email,
 				    Username = :Username,
-				    Roles = :Roles
+				    Roles = :Roles,
+				    AuthService = '',
+				    AuthData = NULL
 				WHERE
 				    Id = :Id
 				`,
@@ -590,6 +611,10 @@ func convertTeamTo30(primaryTeamName string, team *TeamForUpgrade, uniqueEmails
 
 		uniqueEmails[user.Email] = true
 		uniqueUsernames[user.Username] = true
+
+		if user.AuthData != nil && *user.AuthData != "" {
+			uniqueAuths[*user.AuthData] = true
+		}
 	}
 
 	return users
diff --git a/model/gitlab/gitlab.go b/model/gitlab/gitlab.go
index d6071f99f..fc70dd93f 100644
--- a/model/gitlab/gitlab.go
+++ b/model/gitlab/gitlab.go
@@ -47,7 +47,7 @@ func userFromGitLabUser(glu *GitLabUser) *model.User {
 	}
 	strings.TrimSpace(user.Email)
 	user.Email = glu.Email
-	user.AuthData = strconv.FormatInt(glu.Id, 10)
+	*user.AuthData = strconv.FormatInt(glu.Id, 10)
 	user.AuthService = model.USER_AUTH_SERVICE_GITLAB
 
 	return user
diff --git a/model/user.go b/model/user.go
index 7563de8ae..15c281401 100644
--- a/model/user.go
+++ b/model/user.go
@@ -37,7 +37,7 @@ type User struct {
 	DeleteAt           int64     `json:"delete_at"`
 	Username           string    `json:"username"`
 	Password           string    `json:"password,omitempty"`
-	AuthData           string    `json:"auth_data,omitempty"`
+	AuthData           *string   `json:"auth_data,omitempty"`
 	AuthService        string    `json:"auth_service"`
 	Email              string    `json:"email"`
 	EmailVerified      bool      `json:"email_verified,omitempty"`
@@ -99,15 +99,15 @@ func (u *User) IsValid() *AppError {
 		return NewLocAppError("User.IsValid", "model.user.is_valid.pwd.app_error", nil, "user_id="+u.Id)
 	}
 
-	if len(u.AuthData) > 128 {
+	if u.AuthData != nil && len(*u.AuthData) > 128 {
 		return NewLocAppError("User.IsValid", "model.user.is_valid.auth_data.app_error", nil, "user_id="+u.Id)
 	}
 
-	if len(u.AuthData) > 0 && len(u.AuthService) == 0 {
+	if u.AuthData != nil && len(*u.AuthData) > 0 && len(u.AuthService) == 0 {
 		return NewLocAppError("User.IsValid", "model.user.is_valid.auth_data_type.app_error", nil, "user_id="+u.Id)
 	}
 
-	if len(u.Password) > 0 && len(u.AuthData) > 0 {
+	if len(u.Password) > 0 && u.AuthData != nil && len(*u.AuthData) > 0 {
 		return NewLocAppError("User.IsValid", "model.user.is_valid.auth_data_pwd.app_error", nil, "user_id="+u.Id)
 	}
 
@@ -130,6 +130,10 @@ func (u *User) PreSave() {
 		u.Username = NewId()
 	}
 
+	if u.AuthData != nil && *u.AuthData == "" {
+		u.AuthData = nil
+	}
+
 	u.Username = strings.ToLower(u.Username)
 	u.Email = strings.ToLower(u.Email)
 	u.Locale = strings.ToLower(u.Locale)
@@ -165,6 +169,10 @@ func (u *User) PreUpdate() {
 	u.Locale = strings.ToLower(u.Locale)
 	u.UpdateAt = GetMillis()
 
+	if u.AuthData != nil && *u.AuthData == "" {
+		u.AuthData = nil
+	}
+
 	if u.NotifyProps == nil || len(u.NotifyProps) == 0 {
 		u.SetDefaultNotifications()
 	} else if _, ok := u.NotifyProps["mention_keys"]; ok {
@@ -237,7 +245,8 @@ func (u *User) IsAway() bool {
 // Remove any private data from the user object
 func (u *User) Sanitize(options map[string]bool) {
 	u.Password = ""
-	u.AuthData = ""
+	u.AuthData = new(string)
+	*u.AuthData = ""
 	u.MfaSecret = ""
 
 	if len(options) != 0 && !options["email"] {
@@ -255,7 +264,8 @@ func (u *User) Sanitize(options map[string]bool) {
 func (u *User) ClearNonProfileFields() {
 	u.UpdateAt = 0
 	u.Password = ""
-	u.AuthData = ""
+	u.AuthData = new(string)
+	*u.AuthData = ""
 	u.AuthService = ""
 	u.MfaActive = false
 	u.MfaSecret = ""
@@ -376,7 +386,8 @@ func (u *User) IsLDAPUser() bool {
 
 func (u *User) PreExport() {
 	u.Password = ""
-	u.AuthData = ""
+	u.AuthData = new(string)
+	*u.AuthData = ""
 	u.LastActivityAt = 0
 	u.LastPingAt = 0
 	u.LastPasswordUpdate = 0
@@ -429,7 +440,7 @@ func HashPassword(password string) string {
 // ComparePassword compares the hash
 func ComparePassword(hash string, password string) bool {
 
-	if len(password) == 0 {
+	if len(password) == 0 || len(hash) == 0 {
 		return false
 	}
 
diff --git a/store/sql_user_store.go b/store/sql_user_store.go
index 974081a64..080d8d128 100644
--- a/store/sql_user_store.go
+++ b/store/sql_user_store.go
@@ -29,7 +29,7 @@ func NewSqlUserStore(sqlStore *SqlStore) UserStore {
 		table.ColMap("Id").SetMaxSize(26)
 		table.ColMap("Username").SetMaxSize(64).SetUnique(true)
 		table.ColMap("Password").SetMaxSize(128)
-		table.ColMap("AuthData").SetMaxSize(128)
+		table.ColMap("AuthData").SetMaxSize(128).SetUnique(true)
 		table.ColMap("AuthService").SetMaxSize(32)
 		table.ColMap("Email").SetMaxSize(128).SetUnique(true)
 		table.ColMap("Nickname").SetMaxSize(64)
@@ -265,7 +265,7 @@ func (us SqlUserStore) UpdatePassword(userId, hashedPassword string) StoreChanne
 
 		updateAt := model.GetMillis()
 
-		if _, err := us.GetMaster().Exec("UPDATE Users SET Password = :Password, LastPasswordUpdate = :LastPasswordUpdate, UpdateAt = :UpdateAt, AuthData = '', AuthService = '', EmailVerified = true, FailedAttempts = 0 WHERE Id = :UserId", map[string]interface{}{"Password": hashedPassword, "LastPasswordUpdate": updateAt, "UpdateAt": updateAt, "UserId": userId}); err != nil {
+		if _, err := us.GetMaster().Exec("UPDATE Users SET Password = :Password, LastPasswordUpdate = :LastPasswordUpdate, UpdateAt = :UpdateAt, AuthData = NULL, AuthService = '', EmailVerified = true, FailedAttempts = 0 WHERE Id = :UserId", map[string]interface{}{"Password": hashedPassword, "LastPasswordUpdate": updateAt, "UpdateAt": updateAt, "UserId": userId}); err != nil {
 			result.Err = model.NewLocAppError("SqlUserStore.UpdatePassword", "store.sql_user.update_password.app_error", nil, "id="+userId+", "+err.Error())
 		} else {
 			result.Data = userId
@@ -297,7 +297,7 @@ func (us SqlUserStore) UpdateFailedPasswordAttempts(userId string, attempts int)
 	return storeChannel
 }
 
-func (us SqlUserStore) UpdateAuthData(userId, service, authData, email string) StoreChannel {
+func (us SqlUserStore) UpdateAuthData(userId string, service string, authData *string, email string) StoreChannel {
 
 	storeChannel := make(StoreChannel)
 
@@ -513,7 +513,8 @@ func (us SqlUserStore) GetAllProfiles() StoreChannel {
 
 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}
 
@@ -564,7 +565,8 @@ func (us SqlUserStore) GetProfiles(teamId string) StoreChannel {
 
 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}
 
@@ -623,7 +625,8 @@ func (us SqlUserStore) GetDirectProfiles(userId string) StoreChannel {
 
 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}
 
@@ -665,7 +668,8 @@ func (us SqlUserStore) GetProfileByIds(userIds []string) StoreChannel {
 
 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}
 
@@ -696,7 +700,8 @@ func (us SqlUserStore) GetSystemAdminProfiles() StoreChannel {
 
 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 				userMap[u.Id] = u
 			}
 
@@ -734,20 +739,27 @@ func (us SqlUserStore) GetByEmail(email string) StoreChannel {
 	return storeChannel
 }
 
-func (us SqlUserStore) GetByAuth(authData string, authService string) StoreChannel {
+func (us SqlUserStore) GetByAuth(authData *string, authService string) StoreChannel {
 
 	storeChannel := make(StoreChannel)
 
 	go func() {
 		result := StoreResult{}
 
+		if authData == nil || *authData == "" {
+			result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", MISSING_AUTH_ACCOUNT_ERROR, nil, "authData='', authService="+authService)
+			storeChannel <- result
+			close(storeChannel)
+			return
+		}
+
 		user := model.User{}
 
 		if err := us.GetReplica().SelectOne(&user, "SELECT * FROM Users WHERE AuthData = :AuthData AND AuthService = :AuthService", map[string]interface{}{"AuthData": authData, "AuthService": authService}); err != nil {
 			if err == sql.ErrNoRows {
-				result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", MISSING_AUTH_ACCOUNT_ERROR, nil, "authData="+authData+", authService="+authService+", "+err.Error())
+				result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", MISSING_AUTH_ACCOUNT_ERROR, nil, "authData="+*authData+", authService="+authService+", "+err.Error())
 			} else {
-				result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", "store.sql_user.get_by_auth.other.app_error", nil, "authData="+authData+", authService="+authService+", "+err.Error())
+				result.Err = model.NewLocAppError("SqlUserStore.GetByAuth", "store.sql_user.get_by_auth.other.app_error", nil, "authData="+*authData+", authService="+authService+", "+err.Error())
 			}
 		}
 
@@ -857,7 +869,8 @@ func (us SqlUserStore) GetForExport(teamId string) StoreChannel {
 		} else {
 			for _, u := range users {
 				u.Password = ""
-				u.AuthData = ""
+				u.AuthData = new(string)
+				*u.AuthData = ""
 			}
 
 			result.Data = users
diff --git a/store/sql_user_store_test.go b/store/sql_user_store_test.go
index b48da55f5..5c33ea0f1 100644
--- a/store/sql_user_store_test.go
+++ b/store/sql_user_store_test.go
@@ -458,9 +458,11 @@ func TestUserStoreGetByAuthData(t *testing.T) {
 
 	teamId := model.NewId()
 
+	auth := "123" + model.NewId()
+
 	u1 := &model.User{}
 	u1.Email = model.NewId()
-	u1.AuthData = "123" + model.NewId()
+	u1.AuthData = &auth
 	u1.AuthService = "service"
 	Must(store.User().Save(u1))
 	Must(store.Team().SaveMember(&model.TeamMember{TeamId: teamId, UserId: u1.Id}))
@@ -469,7 +471,8 @@ func TestUserStoreGetByAuthData(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if err := (<-store.User().GetByAuth("", "")).Err; err == nil {
+	rauth := ""
+	if err := (<-store.User().GetByAuth(&rauth, "")).Err; err == nil {
 		t.Fatal("Should have failed because of missing auth data")
 	}
 }
@@ -497,19 +500,23 @@ func TestUserStoreGetByUsername(t *testing.T) {
 func TestUserStoreGetForLogin(t *testing.T) {
 	Setup()
 
+	auth := model.NewId()
+
 	u1 := &model.User{
 		Email:       model.NewId(),
 		Username:    model.NewId(),
 		AuthService: model.USER_AUTH_SERVICE_GITLAB,
-		AuthData:    model.NewId(),
+		AuthData:    &auth,
 	}
 	Must(store.User().Save(u1))
 
+	auth2 := model.NewId()
+
 	u2 := &model.User{
 		Email:       model.NewId(),
 		Username:    model.NewId(),
 		AuthService: model.USER_AUTH_SERVICE_LDAP,
-		AuthData:    model.NewId(),
+		AuthData:    &auth2,
 	}
 	Must(store.User().Save(u2))
 
@@ -525,14 +532,14 @@ func TestUserStoreGetForLogin(t *testing.T) {
 		t.Fatal("Should have gotten user1 by email")
 	}
 
-	if result := <-store.User().GetForLogin(u2.AuthData, true, true, true); result.Err != nil {
+	if result := <-store.User().GetForLogin(*u2.AuthData, true, true, true); result.Err != nil {
 		t.Fatal("Should have gotten user by LDAP AuthData", result.Err)
 	} else if result.Data.(*model.User).Id != u2.Id {
 		t.Fatal("Should have gotten user2 by LDAP AuthData")
 	}
 
 	// prevent getting user by AuthData when they're not an LDAP user
-	if result := <-store.User().GetForLogin(u1.AuthData, true, true, true); result.Err == nil {
+	if result := <-store.User().GetForLogin(*u1.AuthData, true, true, true); result.Err == nil {
 		t.Fatal("Should not have gotten user by non-LDAP AuthData")
 	}
 
@@ -545,23 +552,26 @@ func TestUserStoreGetForLogin(t *testing.T) {
 		t.Fatal("Should have failed to get user1 by email")
 	}
 
-	if result := <-store.User().GetForLogin(u2.AuthData, true, true, false); result.Err == nil {
+	if result := <-store.User().GetForLogin(*u2.AuthData, true, true, false); result.Err == nil {
 		t.Fatal("Should have failed to get user3 by LDAP AuthData")
 	}
 
+	auth3 := model.NewId()
+
 	// test a special case where two users will have conflicting login information so we throw a special error
 	u3 := &model.User{
 		Email:       model.NewId(),
 		Username:    model.NewId(),
 		AuthService: model.USER_AUTH_SERVICE_LDAP,
-		AuthData:    model.NewId(),
+		AuthData:    &auth3,
 	}
 	Must(store.User().Save(u3))
+
 	u4 := &model.User{
 		Email:       model.NewId(),
 		Username:    model.NewId(),
 		AuthService: model.USER_AUTH_SERVICE_LDAP,
-		AuthData:    u3.Username,
+		AuthData:    &u3.Username,
 	}
 	Must(store.User().Save(u4))
 
@@ -620,9 +630,9 @@ func TestUserStoreUpdateAuthData(t *testing.T) {
 	Must(store.Team().SaveMember(&model.TeamMember{TeamId: teamId, UserId: u1.Id}))
 
 	service := "someservice"
-	authData := "1"
+	authData := model.NewId()
 
-	if err := (<-store.User().UpdateAuthData(u1.Id, service, authData, "")).Err; err != nil {
+	if err := (<-store.User().UpdateAuthData(u1.Id, service, &authData, "")).Err; err != nil {
 		t.Fatal(err)
 	}
 
@@ -633,7 +643,7 @@ func TestUserStoreUpdateAuthData(t *testing.T) {
 		if user.AuthService != service {
 			t.Fatal("AuthService was not updated correctly")
 		}
-		if user.AuthData != authData {
+		if *user.AuthData != authData {
 			t.Fatal("AuthData was not updated correctly")
 		}
 		if user.Password != "" {
diff --git a/store/store.go b/store/store.go
index 7801f78f9..37aafdd4a 100644
--- a/store/store.go
+++ b/store/store.go
@@ -126,7 +126,7 @@ type UserStore interface {
 	UpdateLastActivityAt(userId string, time int64) StoreChannel
 	UpdateUserAndSessionActivity(userId string, sessionId string, time int64) StoreChannel
 	UpdatePassword(userId, newPassword string) StoreChannel
-	UpdateAuthData(userId, service, authData, email string) StoreChannel
+	UpdateAuthData(userId string, service string, authData *string, email string) StoreChannel
 	UpdateMfaSecret(userId, secret string) StoreChannel
 	UpdateMfaActive(userId string, active bool) StoreChannel
 	Get(id string) StoreChannel
@@ -136,7 +136,7 @@ type UserStore interface {
 	GetDirectProfiles(userId string) StoreChannel
 	GetProfileByIds(userId []string) StoreChannel
 	GetByEmail(email string) StoreChannel
-	GetByAuth(authData string, authService string) StoreChannel
+	GetByAuth(authData *string, authService string) StoreChannel
 	GetByUsername(username string) StoreChannel
 	GetForLogin(loginId string, allowSignInWithUsername, allowSignInWithEmail, ldapEnabled bool) StoreChannel
 	VerifyEmail(userId string) StoreChannel