mosaic
mosaic copied to clipboard
oughtinc
If user logs in with Google OAuth, then later logs in with email/pwd, we should recognize that it's the same person rather than creating 2 different users
Ben Rachbach 10 minutes ago @Zachary Miller — it’s the case that if someone logs into Mosaic once using Google OAuth, then logs in again using uname and pwd, those will be 2 totally separate users in the db, right?
Zachary Miller 8 minutes ago yeah that’s right
Ben Rachbach 1 minute ago @Mati Roy I think this is what happened with [email protected] (that you emailed about) we should tell participants to only ever use one or the other method and to tell us if they’ve ever used the other one, so we can make sure to straighten things out we should also check how many users seem to be affected — it seems like a small number at a quick glance I created this task and prioritized it for you: https://app.asana.com/0/1135542714019048/1137016503187873
Ben Rachbach < 1 minute ago Also created a GIthub issue: https://github.com/oughtinc/mosaic/issues/684
I believe that (in general on the Internet), websites/web apps have different ways of approaching this problem:
- Just add the new method of auth whenever the user uses it for the first time. To be able to add email to existing oauth, you need to require verificaiton that the user actually owns that email address
- Just don’t allow more than one form of auth for a given email address
- there are probably others?
I feel like there should be lots of articles online about how to handle this, but I couldn't find any good ones -- if someone can find a good one, that could be pretty helpful
Another thought -- in general, we may want to do something hacky/quick rather than the most principled thing. We may even want to solve this without SWE. Anyone know how many of our current participants have duplicate accounts? @andrewschreiber? @Mati-Roy
@DerekElkinsOught , what's our plan for this for Mosaic 2?
@zjmiller @DerekElkinsOught , can we do the engineering for this in such a way that all of the work can be shared between MOsaic 1 and 2? (If so, that would be an argument for doing the principled/"right" thing now)
I hadn't chosen any explicit plan since it's not clear how big an issue it would be. I'm not sure why people would log in differently except perhaps when they are first getting used to the system or occasionally accidentally if they use user/password by default. I would expect it to be rare enough that its not a significant issue. This may well become less of an issue if we are specifying which participants are part of experiments as the "wrong" login simply won't be included.
Nevertheless, I did think about how it could be dealt with. The simplest solution would probably be to ensure that there is an email associated with each account even if it is a user/password login (which is quite possibly already the case) and then use the email as the user identifier. If people are using different emails, then either we need to explicitly "create" and hand out accounts or the best we can do is rectify the data after the fact. User story https://github.com/oughtinc/mosaic2/issues/50 is geared more toward the latter, but for more analytics-oriented purposes, we can maintain a table (easily outside of Mosaic 2, e.g. in a spreadsheet) that tracks duplicates and then in a pre-processing pass over the data, normalize all the duplicates to a representative.
There might be a way in Auth0 to "merge" accounts. I haven't looked but I suspect that might not be the case, at least for the "basic" user/role management. This wouldn't help us for historical data though.
