Logging in with a social login linked with another account does not link the two accounts

[alastairs]

Repro

1. Log into the DDD EA site with a social login (e.g., GitHub), and register an account with DDD EA.
2. Log off.
3. Log into the DDD EA site with a different social login (e.g., Twitter), and register a second account with DDD EA.
4. Go to the Manage Logins page, and click the button for the first social login (i.e., GitHub).

Expected

• The two accounts are linked/combined, including session details (and, later, voting records).

Actual

• I am logged out of DDD EA as the Twitter user and logged in as the GitHub user.
• I can continue to switch between the two accounts by clicking the buttons on the Manage Logins page.
• I cannot link either account to the other account's social login
• I cannot disassociate either account with the social login, as I am logged in with the associated login
• I cannot delete my account to allow me to associate my preferred account with the secondary social login.

[alastairs]

I'm starting to wonder if this is even desirable behaviour: any fix we put in will surely open the door to account hijack exploits.

Perhaps the fix is provide a "delete account" option, or perhaps a way of requesting the combination of two accounts so that we can do it ourselves. That would make this a piece of functionality for the admin area rather than for our users.

[alastairs]

This basically disappears if we hide the login functionality for everything but those things that require it (I.e. session submission).