search

iMerica / dj-rest-auth

Authentication for Django Rest Framework
https://dj-rest-auth.readthedocs.io/en/latest/index.html
MIT License
1.64k stars 306 forks source link

`SocialConnectView.process_login()` should not perform login #464

Open okapies opened 1 year ago

okapies commented 1 year ago

process_login() in SocialConnectView try to issue a new session tied to the specified social account (when REST_SESSION_LOGIN is True), but I think this behavior is not expected especially when the social account already exists in the DB:

  1. Signup and login as a User 1 tied to a SocialAccount 1
  2. Logout
  3. Signup and login as a User 2 tied to a SocialAccount 2
  4. Run a /connect API for User 2 with SocialAccount 1
  5. _add_social_account will reject the operation
  6. SocialConnectView runs django_login() and refreshes the user's session with a new one tied to User 1 even if the connection is failed

Ref. #25.

BoHuang-aspecta commented 1 year ago

I'm also confused about why SocialConnectView needs to perform login. Could someone explain it?