if twitter/facebook auth are removed and password is not set, account can become inaccessible

[carols10cents]

To reproduce:

• Sign up with twitter or facebook
• Edit profile
• Do not set password, do not set email, do not pass go, do not collect $200
• Remove all twitter or facebook auths
• Log out
• Figure out how to log back in. Good luck!!!!

[caleywoods]

Would these users then have a blank password in the database? Can you do a quick check for the length of > 0 or .nil?/.empty?

[caleywoods]

Maybe you can do a quick check when a user logins for the presence of a password?

def login_check
  if @user.password
    login(un, pw)
  else
    redirect "/users/password_reset"
end

[carols10cents]

But you can't reset your password unless you are either logged in or have an email address. The above steps are a way to get into a situation where you have an account that does not have an email address or a password.

I feel like the solution is going to have to be a check when someone removes a twitter or facebook auth, to make sure the account has either the other of twitter|facebook remaining or forces them to set a password at that point (and ideally an email too).

[caleywoods]

True, I hadn't thought about them not having an email address either. Your proposed solution would also be better because the amount of people affected would be less.

My solution would impose a check on everyone logging in whereas your solution is only affecting those users who are removing an auth method.

[caleywoods]

@clnclarinet https://gist.github.com/981093 thoughts?

Or maybe instead of that we just check to see if the user.email_address is blank before performing auth.destroy and if it is, flash an error and tell them to add their email and save it first?

[carols10cents]

I think your comment is more along the right lines-- they could navigate away from the set email page that your gist would send them to, and then their account would be in the bad state.

[caleywoods]

Perhaps when you click a remove link on the profile edit page it checks to see if you have an email defined and if not, force it to be set before you can remove an auth method.

[caleywoods]

I'll dig into this this weekend if I can Carol, I'm also working on the URL shortening thing, taking a bit longer since it's my first foray into non trivial JS

[caleywoods]

@clnclarinet https://github.com/caleywoods/rstat.us/commit/467d99fc71e5a02bdd254283d452659f6b60241a what do you think? I haven't fully tested it yet because I haven't setup email on my machine. It will not however let you trash an auth method if you don't have an email associated.