Closed kangmingtay closed 6 months ago
:tada: This PR is included in version 2.60.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
I think I've found a few issues with this, specifically using twitter
as the provider.
After doing unlinkIdentity
for twitter
, I can still sign back in with the same Twitter account and it gets added/linked back to the same old account automatically. The Twitter account is using a different email address, I'd assume if I unlink it, and then do a new sign in/sign up, it would create a new account for me based on the email from the Twitter account, but that is not the case.
I'm not sure if this is related, unlinkIdentity
remove the record from the auth.identities
table but it doesn't clean/delete the data in raw_user_meta_data
in the auth.users
table (which is where the twitter data is stored).
linkIdentity
using twitter
as the provider doesn't work as expected. It returns error code 500 not found and request token doesn't match token in callback
. It works fine for google
and discord
as the provider. It also works fine when I use with signInWithOAuth
, so this should not be a Twitter APP settings issue on my end. I can see the error in the URL after the redirect back from Twitter. Apart from the error, it also logs me out of the application.
/account?error=server_error&error_code=500&error_description=Request+token+doesn%27t+match+token+in+callback#error=server_error&error_code=500&error_description=Request+token+doesn%2527t+match+token+in+callback
@kangmingtay @J0 would you be able to help please?
Hey @chhuang,
Thanks for filing the issue and for your patience with us while we work through the tickets. Might need to trouble you for a bit of information. For:
After doing unlinkIdentity for twitter, I can still sign back in with the same Twitter account and it gets added/linked back to the same old account automatically. The Twitter account is using a different email address, I'd assume if I unlink it, and then do a new sign in/sign up, it would create a new account for me based on the email from the Twitter account, but that is not the case.
As I understand the first steps would be:
john@gmail.com
) and then signs in with Twitter OAuth (primary_email: john@gmail.com
). Let's call this UserA.unlinkIdentity
for twitter
. UserA
now has one identity.Mind sharing more about the next step?
I can still sign back in with the same Twitter account and it gets added/linked back to the same old account automatically.
I am guessing here but would it be:
john@gmail.com
) and Identity is again linked to UserA
(?)If you have a linked video that would be very helpful
I'm not sure if this is related, unlinkIdentity remove the record from the auth.identities table but it doesn't clean/delete the data in raw_user_meta_data in the auth.users table (which is where the twitter data is stored).
I think unlinkIdentity
only updates the providers app_meta_data
and does not touch raw_user_metadata
. Do you mind sharing what fields remain in raw_user_metadata
and what you'd like cleared?
linkIdentity using twitter as the provider doesn't work as expected. It returns error code 500 not found and request token doesn't match token in callback. It works fine for google and discord as the provider. It also works fine when I use with signInWithOAuth, so this should not be a Twitter APP settings issue on my end. I can see the error in the URL after the redirect back from Twitter. Apart from the error, it also logs me out of the application.
I'm spitballing and will need to check further but there might be a mismatch in the one of the fields of the JWT. If you see any differences that stand out let us know.
Thanks!
Thanks for looking into this @J0
Scenario 1 A (not working):
user-a-google@gmail.com
)user-a-twitter@gmail.com
), the linking fails. Important to note that this is a brand new Twitter account that it has never been used to create or sign in before in our system.{"code":401,"msg":"invalid claim: missing sub claim"}
In the same scenario, User A can sign in with Twitter (user-a-twitter@gmail.com
) with no problem. I only did this after I failed to link it to user-a-google@gmail.com
in step 1. But now I have created 2 different accounts, one with Google and one with Twitter. Obviously this was not the initial intention.
Scenario 1 B (working):
user-a-google@gmail.com
)user-a-discord@gmail.com
)Scenario 2:
user-a-google@gmail.com
)user-a-twitter@gmail.com
)user-b-google@gmail.com
)user-a-twitter@gmail.com
), the linking fails because email is already used and linked to User AI think the UX can be improved for step 6? I can see this is in the TODO of this PR and it's checked, can you confirm it's working as intended please?
Scenario 3:
user-a-twitter@gmail.com
)user-a-discord@gmail.com
){"code":403,"msg":"Unable to unlink identity due to email conflict"}
Unlike the other scenarios, here the user is not logged out automatically. I can also unlink my Discord without problem.
What is the reason I can't unlink my Twitter here? Since I've also added Discord, I should be able to unlink Twitter right?
Hi @chhuang, thanks for providing all these details.
Scenario 1 will be fixed by this PR.
Scenario 2 is expected but you should not be logged out in step 6 - i'll look into why that's happening in the client library
Scenario 3 happens because you already have another user / identity in your db that uses the email user-a-discord@gmail.com
. When you unlink the twitter identity from the user, we need to update the auth.users.email
column which has a unique constraint on it. If there is another user that initially signed in with discord using user-a-discord@gmail.com
, this email will already be used in the auth.users
table. This is a known issue and we're working on relaxing the email constraint on oauth identities so that this error goes away.
Hi @chhuang, thanks for providing all these details.
Scenario 1 will be fixed by this PR.
Scenario 2 is expected but you should not be logged out in step 6 - i'll look into why that's happening in the client library
Scenario 3 happens because you already have another user / identity in your db that uses the email
user-a-discord@gmail.com
. When you unlink the twitter identity from the user, we need to update theauth.users.email
column which has a unique constraint on it. If there is another user that initially signed in with discord usinguser-a-discord@gmail.com
, this email will already be used in theauth.users
table. This is a known issue and we're working on relaxing the email constraint on oauth identities so that this error goes away.
Thanks @kangmingtay for the fix!
Can you tell me how to get the fix? Which library should I update?
What kind of change does this PR introduce?
unlinkIdentity
,linkIdentity
,getUserIdentities
to support the new identity linking endpointsTODO