sorcery icon indicating copy to clipboard operation
sorcery copied to clipboard

Published 20 hours ago verified publisher icon NoamB

Local and External duplicate users.

Open kyledayton opened this issue 12 years ago • 5 comments

Our application supports local accounts and facebook signup. If a user creates a local account, logs out, then signs up with a facebook account that has the same email address as the local account, it creates another account. Wouldn't it make more sense to add the external authentication to the existing user? Is there anyway to make sorcery behave this way?

kyledayton avatar Apr 05 '12 18:04 kyledayton

I'm not using external currently but I think it's not a good idea & very dangerous to link external account into local by email address ! And some providers not give the email.

m4tm4t avatar Apr 06 '12 09:04 m4tm4t

Comwiz, I agree there should be simple built-in functionality to add authentications to existing users rather than create duplicate users. I haven't been able to find docs on this, but I'm working on it right now so I'll post a solution if I can find one.

burlesona avatar Apr 29 '12 16:04 burlesona

The solution is adding available providers to a current_user (should be logged in)

https://github.com/NoamB/sorcery/pull/261

m4tm4t avatar Apr 29 '12 16:04 m4tm4t

I am also having issues with this. I am using email as my user identifier (which makes great sense because it's effectively the only unique identifier we have for a person), so if an existing local user chooses "login with facebook" I think it should simply add a legitimate external authentication to that user's account (assuming their facebook email is the same as the one used to sign up locally in the first place. I am achieving this by:

@user = create_and_validate_from(provider)

If the creation fails on duplicate email then find the existing user (using session data created by above method) and add the authentication from facebook:

@user = User.find_by_email(session[:incomplete_user][:user_hash][:email])
@user.authentications.build(provider: provider, uid: session[:incomplete_user][:provider][:uid]).save(validate: false)
auto_login(@user)

So, I think external authentications should not bypass validations when creating user records

(Thanks for the great work by the way)

jjnevis avatar Mar 21 '13 10:03 jjnevis

I've been thinking about this issue recently. Here's a solution I came up with:

When user chooses to sign up with OAuth, we check for e-mail in provider response and we check if there's already user with the same e-mail address

  • if no, we simply create an account
  • if yes, then we don't create an account, but we return information that there's already user with this e-mail address. Then developer, having received such value, can show message like "There's already an account registered with your e-mail address. To add Twitter authentication to your account, you need to log in first"

This solves all the problems - we don't create duplicates, we return proper information, and developer may choose if to show the message I mentioned or if to simply add the authorization method to existing user.

arnvald avatar Jul 16 '14 13:07 arnvald