[Question] no oauth login if you are already registered by normal way?

e107inc / e107

e107 Bootstrap CMS (Content Management System) v2 with PHP, MySQL, HTML5, jQuery and Twitter Bootstrap. Issue Discussion Room: https://gitter.im/e107inc/e107

https://e107.org

GNU General Public License v3.0

322 stars 214 forks source link

[Question] no oauth login if you are already registered by normal way? #1676

Open nesjett opened 8 years ago

nesjett commented 8 years ago

I think that if you are already registered on the site, and you try later to login with oauth, if both emails are the same, you should automatically be logged in, currently this doesnt happen on e107, but on other sites that´s the way.

I dont know how to do this without making a security hole so please, can someone bring me some light about this? @CaMer0n ?

Thanks,

Nest

CaMer0n commented 8 years ago

I believe the check needs to occur in user_handler.php around line 1080.

    $insert = (!empty($userdata['user_email'])) ? "OR user_email='".$userdata['user_email']."' " : "";

        $this->log(__CLASS__, __METHOD__, __LINE__);

        if($uid = $sql->retrieve("user", "user_id", "user_xup='".$sql->escape($this->userId())."' ".$insert." OR user_loginname='{$userdata['user_loginname']}' OR user_name='{$userdata['user_name']}'"))
        {
            // $this->login($redirectUrl); // auto-login
            e107::getUser()->loginProvider($this->userId());

            if($redirectUrl) 
            {
                e107::getRedirect()->redirect($redirectUrl);
            }

            return false;
            // throw new Exception( "Signup failed! User already exists. Please use 'login' instead.", 3);
        }

nesjett commented 8 years ago

Thank you @CaMer0n I was already looking that functions, but making this check to log in the user would be secure? I mean, could someone send a message to my site pretending to be, for example, twitch, with an user email, so if the email is already in the DB, he would get logged in?

Im not sure about how are working login apis at all

CaMer0n commented 8 years ago

I don't think so, because the data needs to come from a provider which involves all their tokens and "handshaking".

CaMer0n commented 8 years ago

This code only applies to the social login, not the main e107 login.

nesjett commented 8 years ago

Okay, thank you!

PD: I think would be good e107 to save the user access token for future uses (not sure if I should open a new issue, I already opened a lot hehe)

CaMer0n commented 8 years ago

@nesjett You can open a new issue for that if you wish. btw. If you have code-specific questions you can usually reach me in the e107 chatroom https://gitter.im/e107inc/e107