social_auth, as configured in the demo project, appears to have a huge security hole in it.
Once you have verified a new user with a URL link (user verified via email address, not social media), anyone using the email address of that user can log-in to their account using any password.
I've checked this a number of times using different browsers (to ensure it wasn't a cookie issue) and deleting the project database and setting-up from scratch.
social_auth, as configured in the demo project, appears to have a huge security hole in it.
Once you have verified a new user with a URL link (user verified via email address, not social media), anyone using the email address of that user can log-in to their account using any password.
I've checked this a number of times using different browsers (to ensure it wasn't a cookie issue) and deleting the project database and setting-up from scratch.