Supreme-Leader two possible explainations:

  1. The extension didn't migrate properly. Try running php flarum migrate in your webserver's root dir.

  2. You are the first person other than me to serve a strike and therefore no one has reported this bug before.

      Disabling email registration breaks changing your password.
      Changing your password requires a valid email to send the password reset link to.
      Changing your email to a valid email requires knowing your password.
      If signing up with SSO/token your password is a random string.
      You see where this is going...

      I'd fix the issue like so:
      Don't assign random password for SSO/token login but use empty password.
      Don't allow login with empty password obv.
      But allow changing your password if it's empty.

      If the user forgets their set password and did not set a valid email then idk.
      Maybe allow changing the email without entering a password.
      Or instead of setting an invaild email (username@username.com) set it to empty and allow changing your password when the email is empty.

      However for existing installations the user database is already a mess because of the inconsistently generated emails and passwords....

      Also saving the settings did not work for me, I had to edit the php and save them with $this->settings->set

        BotoX SSO isn't meant to be logged in directly, you are supposed to log in with your SSO each time. Example: if I register with GitHub I will need to sign in with GitHub each time. I believe this means this is an issue with Flarum's core rather than user management.

            Kyrne correct, you should use "remember me for two weeks" so your session doesn't expire if you don't want to re-authenticate every time. This is not a shortcoming of Flarum - perhaps a bit of SPA design, but in the end it's called security ?

              Kyrne Yes, it's definitely not only to blame on user management.
              But instead of saving a random password you could set it to a vaild password before the validation check and then change it to "" afterwards.
              Also same for the email, use a valid one for the validation then change it to NULL before saving. For this to work the email column needs to be NULLable.
              That's what I do right now and it works fine.
              Users may choose to switch to native accounts instead of SSO or use both.

              For example I require users to sign up with Steam SSO but allow them to specify an email and password after they authenticated with steam:

              Sign Up:

              ... authenticate with SSO (Steam) ...

              Complete sign up:

              You can't log in with an empty password ("") because it will turn into some hash "$2y$10$...." that is not equal the saved empty string ("") in the database.
              For changing your E-Mail when no password is set flarum core needs to be modified so that it will return success when the password stored in the DB is an empty string ("").

              If interested I can publish my changes.
              In production on https://forum.gflclan.ru

                  BotoX I'm not sure if I follow. User management doesn't change anything about how passwords work when you sign up. Are you suggesting this as a feature?

                      Kyrne I guess this makes more sense as a feature request.
                      I'm using User management for better SSO in flarum.
                      Since if you use SSO in native flarum you still need to create an account with email + password...
                      So I use this for removing the possibility of normal registration completely but still offer the possibility of normal accounts after SSO sign up.
                      It makes sense for me because I only want people with a steam account to be able to sign up on my forum, but don't want to bother them with using steam for logging in on all their devices.

                      I'll just maintain my own fork with this I guess, didn't work a lot with PHP so using this as a base definitely helped.

                          screenshot

                          Links point to null, but they were all served on the same post. As #4 pointed out, nothing stopped me from serving multiple strikes for the same post, even after refresh.

                          Links are pointing to http://testbed.legendofdevira.com/flarum/d/null when they should point to http://testbed.legendofdevira.com/flarum/d/6-to-split-or-not/9

                          Also, I'm not sure why Actor is the test user. Shouldn't it be Admin (my user) for serving the strikes?

                            jordanjay29 Do you mind installing dev-master and then running php flarum migrate? Please let me know if it is fixed.

                                Kyrne Just to be clear, the issue I had reported is not fixed in the dev-master version.

                                The link now points to the correct post (at least those served after your fix, the old ones point to http://testbed.legendofdevira.com/flarum/d/0/6), but the actor is still test (why? the header tells me which user this is, shouldn't the actor be the giver of the strike? otherwise this column seems useless) and I can still serve multiple strikes on the same post, even after it's soft-deleted.

                                    jordanjay29 so you are saying the actor is the poster and not the striker?

                                    I will make it so you can't do multiple strikes soon.

                                        Kyrne you can see for yourself on the screenshot. The user in question is at the top, all the strikes were served by the admin account.