User Flow in PROCEED: smaller improvements

[iaktern]

User Settings:

• [x] Use an backend, local avatar generator for every account: https://www.npmjs.com/search?q=avatar%20generator (the user does not need to select an avatar -> PROCEED automatically selects an avatar for every user account)

• [ ] make the Mail address changeable for a user account. The Mail should only be changed if the user confirms the new mail address

• Linking of multiple (OAuth) accounts to one PROCEED user. Questions (Compare with Miro, etc.):

  • [ ] should it be possible to link other OAuth account with different mail addresses to one PROCEED user?
  • [ ] how are the OAuth user accounts compared to the PROCEED user account: by mail?
  • [ ] if someone logged in by OAuth first, is it afterwards possible to login by mail?
  • [ ] should it be possible to link other mail accounts to one PROCEED user?
  • [ ] how should the connection to one PROCEED user account be realized? (user setting, login flow, etc.)

Login Screen:

• [ ] Different Login-Screen at PROCEED Start and at Clicking "Sign In". The following login modals should appear:

• [x] Realize Login Modals
• [x] "Continue as Guest User" with small hint: "Note: If you select "Continue as Guest", the PROCEED Platform is functionally restricted and your created processes will not be accessible on other devices. All your data will be deleted automatically after a few days."
• [x] "Login" with small hint: "Note: Simply login with your e-mail address and we will send you an access link."
• [x] Put the Guest hint also as a Banner into the PROCEED UI, if Guest
• [ ] add OAuth Provider: Google, Auth0, Twitter, Atlassian, Discord
• [ ] add Link to Website with Terms of Service

[FelipeTrost]

@iaktern about the questions of multiple accounts:

There is a difference between user and account. A user represents an actual person, whereas account represents an oauth sign in that a user can use. That being said, next-auth stores the email in user and not in an account, and creates a "fake" account when calling next-auth's callbacks.

When next-auth receives a sign-in, it proceeds differently according to whether a user was already signed in or not. If a user was signed in (valid next-auth cookies were set in the request), and the account he used to sign in isn't registered for another user, the account gets linked to the user, this is the only way this can happen (you can set flags to link accounts to users based on the email, but this is not recommended). Note that if the account already belonged to that user, then the user is just authenticated.

If there was no user signed in, then next-auth searches a user based on the email specified in the account that the request is using to sign in. If there is a user with that mail, next-auth doesn't link the account to the user as stated before and throws an error. If it finds no user, then a new user and an account associated to it, are created.

Additionally, we add our own logic in the signIn hook that next-auth provides, where if a user, that is already signed in and is a guest, is signing in with a valid account, we update the user's record, to show that he is no longer a guest.

How next-auth handles this is a bit confusing, and I haven't seen it well documented in the docs, if you want, I could make a diagram with this flow.