Local and External duplicate users.

NoamB / sorcery

Magical authentication for Rails 3 & 4

MIT License

2.31k stars 385 forks source link

Local and External duplicate users. #252

Open kyledayton opened 12 years ago

kyledayton commented 12 years ago

Our application supports local accounts and facebook signup. If a user creates a local account, logs out, then signs up with a facebook account that has the same email address as the local account, it creates another account. Wouldn't it make more sense to add the external authentication to the existing user? Is there anyway to make sorcery behave this way?

m4tm4t commented 12 years ago

I'm not using external currently but I think it's not a good idea & very dangerous to link external account into local by email address ! And some providers not give the email.

burlesona commented 12 years ago

Comwiz, I agree there should be simple built-in functionality to add authentications to existing users rather than create duplicate users. I haven't been able to find docs on this, but I'm working on it right now so I'll post a solution if I can find one.

m4tm4t commented 12 years ago

The solution is adding available providers to a current_user (should be logged in)

https://github.com/NoamB/sorcery/pull/261

jjnevis commented 11 years ago

I am also having issues with this. I am using email as my user identifier (which makes great sense because it's effectively the only unique identifier we have for a person), so if an existing local user chooses "login with facebook" I think it should simply add a legitimate external authentication to that user's account (assuming their facebook email is the same as the one used to sign up locally in the first place. I am achieving this by:

@user = create_and_validate_from(provider)

If the creation fails on duplicate email then find the existing user (using session data created by above method) and add the authentication from facebook:

@user = User.find_by_email(session[:incomplete_user][:user_hash][:email])
@user.authentications.build(provider: provider, uid: session[:incomplete_user][:provider][:uid]).save(validate: false)
auto_login(@user)

So, I think external authentications should not bypass validations when creating user records

(Thanks for the great work by the way)

arnvald commented 10 years ago

I've been thinking about this issue recently. Here's a solution I came up with:

When user chooses to sign up with OAuth, we check for e-mail in provider response and we check if there's already user with the same e-mail address

if no, we simply create an account
if yes, then we don't create an account, but we return information that there's already user with this e-mail address. Then developer, having received such value, can show message like "There's already an account registered with your e-mail address. To add Twitter authentication to your account, you need to log in first"

This solves all the problems - we don't create duplicates, we return proper information, and developer may choose if to show the message I mentioned or if to simply add the authorization method to existing user.