Basic Auth and Facebook Auth with same email creates two separate users

ionic-team / legacy-ionic-cloud

JavaScript Client for legacy Ionic Cloud services. See Ionic Pro for our new take on the ionic development lifecycle

Apache License 2.0

65 stars 26 forks source link

Basic Auth and Facebook Auth with same email creates two separate users #91

Open bgizdov opened 7 years ago

bgizdov commented 7 years ago

Hi,

I have an app with basic and facebook login. The two types of authentication creates two separate users for a user with the same email address.

Steps:

Login first with facebook, the user is added in Ionic Auth List.
Logout
Register new user with basic auth and the same email from the first account. Then the user is registered and added in Ionic Auth List.

Both users have the same email field in the ionic cloud auth list. I think this is bad behavior, because when the email is the same it doesn't matter the way of login. And both ways should register/login in the same and only one ionic auth account.

Thanks, Borislav.

ericb commented 7 years ago

@bgizdov This is intended behavior for the time being. Different social providers have different levels of validation and user data, and there is no way for us to directly validate that a user on a social network is the same as someone who registered with an email/password. There is also the issue of dealing with email changes across multiple systems, and not having the ability to control what changes the social providers may or may not make in the future.

Having said that, I definitely would like to provide a way for apps to do this either by way of suggestion (aka, user X appears to be the same as Y) or through a user merge tool. Do you have any thoughts on a workflow that would suit your app without our auth system automatically updating users on your behalf?

bgizdov commented 7 years ago

Hi @ericb

The main issue with this was that our users have paid membership and it is attached to one of the accounts. When login later they may think that logged in with the same account and see their membership disappeared, but it is because they logged in with another account.

For now I use this workaround, when the user register first with email or facebook, I save this in a DB. When the user logout and login again later it is allowed to login only from the first registered account, which he used for first time.

It actually may create two users in ionic cloud auth (email & fb), but he can login only with the first created. This is because when login with facebook, we can get the email after login and user is created in ionic auth.

jameslporter commented 7 years ago

I ran into this same exact issue. Can you describe the work around in more detail? Can someone with ionic suggest some plan to handle this common situation? I think maybe the merge idea would be good, to satisfy your security concerns you could make the merge ask them to auth to the first account. If they can login to the first then merge the current social login into that.