strongloop / loopback-component-passport

LoopBack passport integration to support third party logins and account linking
Other
139 stars 227 forks source link

when credentials are being updated, they delete the refresh token #261

Closed regevbr closed 5 years ago

regevbr commented 6 years ago

Steps to reproduce

  1. user logins for the first time (using google for example)
  2. credentials field saves the refresh token and access token (given that an offline access scope was requested)
  3. user logins again
  4. the userIdentity and userCredentials models are performing an update to the credentials field, which now doesn't include the refresh token (refresh token in google is given only once), thus deleting it from persistency.

Expected result

only save changed parts of the credential field when it is being updated.

Additional information

This can be easily fixed by performing a "merge" operation on the existing credentials field and the new one, thus updating only relevant parts and not deleting existing ones.

I'm aware it is my responsibility to save the refresh token aside, still I believe the current behavior is not desired.

I probably don't have enough knowledge in the matter and the suggested fix might break other 3rd party logins who do need to completely replace the credentials field - your input is requested on the matter.

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 5 years ago

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.