opencollective icon indicating copy to clipboard operation
opencollective copied to clipboard
verified publisher icon opencollective

Guest contribution gets associated with a registered account

Open benhylau opened this issue 4 years ago • 8 comments

Describe the bug A Guest contribution gets associated with a registered account if the emails match, without acknowledgement of the registered user.

To Reproduce Steps to reproduce the behavior:

  1. As an unregistered user (not logged in), go to make a donation (e.g. https://opencollective.com/compost/donate)
  2. Click on Incognito to make a guest donation without registering
  3. Enter the email address of a registered user Screen Shot 2021-05-10 at 10 30 01 AM
  4. Proceed to make the donation
  5. Observe that the donation of the anonymous user is now associated with the profile of a registered user

Expected behavior The anonymous user should receive a message that says "this account belongs to a registered user" and prompt for login.

Desktop (please complete the following information):

  • OS: MacOS
  • Browser Firefox

Additional context This happened to me. A email came in saying I made a $100 donation, and I obviously didn't make that. It's a Collective under my own host, so I was able to check the record in Stripe, and it's not a credit card I recognize, but everything went through and it was a legitimate donation (from someone, but who?!)

This was confusing because I thought someone gained access to my OC account. The donor probably saw the Guest contribution page and thought "ahh this is like Paypal, let me enter the recipient email address", which is my address, when OC really wanted their email address... so the payment went and got associated to my account.

I verified this behaviour by making a donation as Guest to another Collective, and yes it did get associated with my account again.

benhylau avatar May 10 '21 08:05 benhylau

This topic was thoroughly discussed while implementing guest contributions. Allowing contributions with existing emails was creating a minor security issue (people being able to contribute in your name), but allowed for a much simpler process for people contributing multiple times as guests and for embedded widgets, where it's not possible to sign in. We also looked at what others were doing at the time (Donorbox, Helloasso, etc.) and they actually implement a similar behavior.

When it comes to contributions, reducing friction and making the flow as simple as possible is key. This is why we chose to implement that in this way.

We currently have 2 measures to help with impersonated contributions:

  • In the "thank you" email, there's a small message for people to contact support if there's something wrong
  • You can't contribute as an existing organization without signing in

We can eventually think about more/simpler options for people to reject these, as a link in the email ("Click here if this wasn't you")

Betree avatar May 10 '21 09:05 Betree

We could add some help text at that point to help people understand which email they should put in.

Also, we should make it clear that if you want to be anonymous you should make an incognito contribution, and guest contributions may de-anonymize later.

alanna avatar May 10 '21 22:05 alanna

I think this is fine to close from my end if it's already discussed, and is a conscious design decision. As a user though, this breaks my assumption on how a "profile" can be associated with actions. So I immediately assumed my account was accessed by a third party, reset all my OC sessions and called my credit card company to check whether my card was used for the donation (because my card is stored on file for recurrings).

@Betree I think the UX could allow people to donate with a registered account's email, but that donation would be queued for triage by the registered user in a new page. Until they are triaged, they should not be associated.

@alanna I don't think there is an Incognito option when you're not logged in. In this case, it doesn't really help me since it's another person going through that UI.

benhylau avatar May 11 '21 00:05 benhylau

Allowing contributions with existing emails was creating a minor security issue

leading to:

I immediately assumed my account was accessed by a third party, reset all my OC sessions and called my credit card company to check whether my card was used for the donation (because my card is stored on file for recurrings).

sounds like a bit of a misjudgement to me, and one I would worry about more as we start to support bigger projects. I think either of the propsed solutions is acceptable:

The anonymous user should receive a message that says "this account belongs to a registered user" and prompt for login.

In the "thank you" email, there's a small message for people to contact support if there's something wrong

I think it's worth some digging to find out what impact this has currently and whether we should look to improve the login method to lower barriers there if it's an issue for some...

BenJam avatar May 25 '21 09:05 BenJam

I don't think the account being accessed by a third party is a misjudgement though. If my Twitter RTs something that I didn't do myself, I'd immediately conclude it as access by a third party. Especially so since I have used the OC account on a device that does not belong to me.

I think the general user does not have the full bg context of OC staff, that the action originating from an unauthenticated event would never have come to mind. My second hypothesis was that there was a bug in the platform itself and the Tx would soon be rejected. So at that time I also emailed @alanna to inquiry if it was a platform iseue.

benhylau avatar May 25 '21 10:05 benhylau

if a guest contributor goes on to register with the same email, will their previous contributions as a guest become associated with their new profile? There are lots of semi-related issues about this and I'm struggling to work out what the current state is?

In short: I have a guest contributor who I'd like to register, and I'd like their existing guest contributions to be associated with their new user profile

jdaviescoates avatar Mar 27 '24 16:03 jdaviescoates

if a guest contributor goes on to register with the same email, will their previous contributions as a guest become associated with their new profile? There are lots of semi-related issues about this and I'm struggling to work out what the current state is?

You can contribute as a guest using the same email multiple times. However, as soon as users verify their accounts (aka. they confirm their emails by signing up), the system will ask them to sign in when they try to contribute. This is not yet enforced on all hosts, but for the long term we're looking into closing this issue.

In short: I have a guest contributor who I'd like to register, and I'd like their existing guest contributions to be associated with their new user profile

While we recognize that this is a simpler UX, it creates some security challenges (mostly the ones exposed in this issue) that we want to protect against.

To smoothen the experience, we need to make sign-in from the contribution flow as simple as possible. The main challenge is the embedded contribution flow, which has limited options.

The alternative would be to not associate a contribution to an account until users sign in to confirm it, but that could create even more friction and complexity.

Betree avatar Apr 08 '24 08:04 Betree

OK thanks @Betree it sounds like it's already all working as I'd like it to and I just need to get my guest contributor to register...

jdaviescoates avatar Apr 08 '24 12:04 jdaviescoates