search

twilson63 / express-couchUser

A express module for CouchDb based User Authentication Module
http://twilson63.github.io/express-couchUser
35 stars 11 forks source link

Handle (or prevent) multiple accounts with the same email address... #36

Closed the-t-in-rtf closed 9 years ago

the-t-in-rtf commented 10 years ago

In testing the library with multiple users, I've discovered that the "forgot password" feature does not handle multiple accounts with the same email address sanely. Only the first account returned for a given email address is associated with the reset token. This makes it impossible to reset the password for any other accounts associated with the same email address.

I can see a few ways to address this:

  1. Make the signup method check to see if a user with the suggested email address already exists and throw an error.
  2. Make the "forgot password" function accept a username or an email address.
  3. Do both.

Happy to make the changes and submit a pull request, just let me know what approach you'd prefer.

warrensplayer commented 10 years ago

My preference is to definitely do option 1 if only an email address is passed in. I am not a big fan of sites that make you have to remember your username and email address to recover a password, but I am open to option 2 if others feel like it would be a valuable feature.

Other opinions?

JoelV commented 9 years ago

Option 1 makes the most sense to me. I don't see a reason for two different users to have the same e-mail address.

Joel V

On Fri, Sep 19, 2014 at 9:35 AM, Stokes Player notifications@github.com wrote:

My preference is to definitely do option 1 if only an email address is passed in. I am not a big fan of sites that make you have to remember your username and email address to recover a password, but I am open to option 2 if others feel like it would be a valuable feature.

Other opinions?

— Reply to this email directly or view it on GitHub https://github.com/twilson63/express-couchUser/issues/36#issuecomment-56177440 .

twilson63 commented 9 years ago

+1 for option 1

Sent from my iPad

On Sep 20, 2014, at 8:35 AM, Joel V notifications@github.com wrote:

Option 1 makes the most sense to me. I don't see a reason for two different users to have the same e-mail address.

Joel V

On Fri, Sep 19, 2014 at 9:35 AM, Stokes Player notifications@github.com wrote:

My preference is to definitely do option 1 if only an email address is passed in. I am not a big fan of sites that make you have to remember your username and email address to recover a password, but I am open to option 2 if others feel like it would be a valuable feature.

Other opinions?

— Reply to this email directly or view it on GitHub https://github.com/twilson63/express-couchUser/issues/36#issuecomment-56177440 .

— Reply to this email directly or view it on GitHub.

the-t-in-rtf commented 9 years ago

I created a pull request with tests:

https://github.com/twilson63/express-couchUser/pull/37