kuma
kuma copied to clipboard
Extra email addresses are not *stored*
If you sign in with GitHub, through the OAuth2, they're sending a LIST of email addresses. We're using this to figure out if the user already existed, but under a different email, but ultimately we're never saving the list of email addresses.
@escattone and I tested this manually on Stage with the GitHub user mdnwebdocs.tester
, who we know have more than 1 email, but it did not store the seconday email address anywhere in the database.
This is a missed opportunity because that secondary email address could be used when the user comes back and forgets he used GitHub last time, and used Google this time, and that secondary could be his primary on Google.
Just wanted to stress, if a user has two accounts:
- GiHub
- emailA (primary, verified)
- emailB (verified)
- emailC (verified)
- emailB (primary, verified)
If the user used GitHub first, we'd pick up emailB
and emailC
so when she, later, uses Google (because they can't remember which provider they used before losing all browser history) we would be able to match the same user to that first GitHub login.
Also, suppose that I, as a GitHub user sign up and realize "Oh no, I want all MDN emails sent to emailC
" then I'd have to manually go and add that and use Kuma's email verification process to make it verified.
The more I think about this, it strikes me as more serious than I first thought. This flaw is going to make the matching of a user's Google account to her/his existing MDN user (originally created via GitHub) much more unlikely. The workaround is that users will have to add and verify their Google email address via their MDN profile page (if it's not already one of their verified emails).