Using email as auth identity is unreliable #38
Comments
|
I'm curious if there's been any thought about how to get around this issue? Would it be as simple as changing the Shield Login Identifier to phone? |
|
How about validated attached authentication accounts? The user is logged in and in his user profile page he can choose to add additional authentication accounts. In case the requested account is already in existence, by passing the validation process it is confirmed we are dealing with the same user and the two login identifiers can be safely be merged into one account, specifically the account he made the requested from, after notifying the user of the fact that he will loose access to the personalized settings that can't be merged in the account he tries to attach. |
PHP Version
8.1
CodeIgniter4 Version
4.3.2
Shield Version
1.0.0-beta.3
Shield OAuth Version?
dev-develop
Which operating systems have you tested for this bug?
Windows
Which server did you use?
apache
Database
MySQL 5.6
Did you add customize OAuth?
YES.
It's not public
What happened?
When signing in with google or github, using the email as authentication identity is fine, but when you add facebook for example, it already breaks, since facebook doesnt always have an email available. A more reliable way would be to use the id, and only pull the email if available
Steps to Reproduce
Use the facebook OAuth available in the discussions, and try signing in with a fb account where you used phone number to sign in
Expected Output
To be able to sign in without unexpected error
Anything else?
I hope i managed to make it as clear as possible, but if not, let me know, and will try to add some sources for explanation
The text was updated successfully, but these errors were encountered: