This is only relevant if you primarily use an SSO solution and want to automatically update the name and email_address of your users. i.e. if the SSO setting update_on_login is true.
Right now server/auth/sso/passport-login::maybeUpdateAccountAndPassport only updates the name, but skips the email address. It should rather check if the new email address isn't already associated with another account – if not, then change it for the user. That way, no accidental account takeover happens.
This is only relevant if you primarily use an SSO solution and want to automatically update the name and email_address of your users. i.e. if the SSO setting
update_on_login
is true.Right now
server/auth/sso/passport-login::maybeUpdateAccountAndPassport
only updates the name, but skips the email address. It should rather check if the new email address isn't already associated with another account – if not, then change it for the user. That way, no accidental account takeover happens.