Better user account merging logic

[shayneczyzewski]

Our existing lookup process just checks if we already associated a user to the incoming social auth method/id and creates a new user if there is no association: https://github.com/wasp-lang/wasp/blob/main/waspc/data/Generator/templates/server/src/routes/auth/passport/generic/provider.js#L55

It would be better to allow an optional user-defined function to do this check. They could, for example, see that a GitHub user with email "[email protected]" is already associated with User 123, so when a Google user with the same email logs in for the first time we can associate them with the same user.

[shayneczyzewski]

It would also be nice if this method allowed users to link a social auth method to their currently logged-in account.

[Martinsos]

One thing to possibly keep an eye out for here is associating new social user with a email & password user that doesn't have a verified email -> that can result in a security issue where somebody created account with somebody's email and then gains access if that actual email owner logins with social account.

[Martinsos]

We have new issue for this, to actually re-implement it.

[infomiho]

@Martinsos I don't think we have a new issue for this? I used this one in our planning 😄

[Martinsos]

Ah whoops I thought you created a new one, something like "Implement account merging logic"! OK, leaving this one then!

[sodic]

User asking for this: https://discord.com/channels/686873244791210014/1271172858281852948/1271172858281852948

[PAD333]

User asking for this: https://discord.com/channels/686873244791210014/1271172858281852948/1271172858281852948

Since you mention it: I also recently started using Wasp and this feature would be my nº1 priority.