Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider email colisions on omniauth-idmty #149

Closed
basicavisual opened this issue Nov 3, 2023 · 3 comments · Fixed by #150
Closed

Consider email colisions on omniauth-idmty #149

basicavisual opened this issue Nov 3, 2023 · 3 comments · Fixed by #150

Comments

@basicavisual
Copy link
Member

As a user, if my email was already registered on Decidimos Monterrey, and I create an account with IDMty that has the same email, I get a flash alert but it allows me to continue.

In this case I should either:

  • be able to merge the accounts (preferable, since Decidim native login will eventually be phased-out) or
  • instruct the user that they already have an account with this email and to login via username / password
@ghost
Copy link

ghost commented Nov 3, 2023

Let's try to merge the accounts. 🙂

@ghost
Copy link

ghost commented Nov 4, 2023
edited by ghost
Loading

@basicavisual , the patch introduced on #148 fixed the "duplicated account" problem.

Now the transaction has enough information (i.e. email) to find the user instead of creating it. 1

transaction do
  create_or_find_user
  @identity = create_identity
end

And just creating an identity for the user (associated with the OAuth provider).

This will enable the transition from Decidim's registration to IDMty.

The only problem is that the controller doesn't recognize that the user already had an account, so it asks again for the name and the alias (this is a bad).

I'm thinking to patch the following method 2:

def user_params_from_oauth_hash
  return nil if oauth_data.empty?

  {
    provider: oauth_data[:provider],
    uid: oauth_data[:uid],
    name: oauth_data[:info][:name],
    nickname: oauth_data[:info][:nickname],
    oauth_signature: OmniauthRegistrationForm.create_signature(oauth_data[:provider], oauth_data[:uid]),
    avatar_url: oauth_data[:info][:image],
    raw_data: oauth_hash
  }
end

To search for a user and plug the name and nickname.

def user_params_from_oauth_hash
  return nil if oauth_data.empty?

+  email = oauth_data.dig(:info, :email)
+  user = Decidim::User.find_by(email: email, organization: current_organization)

  {
    provider: oauth_data[:provider],
    uid: oauth_data[:uid],
+    name: oauth_data[:info][:name] || user&.name,
+    nickname: oauth_data[:info][:nickname] || user&.nickname,
    oauth_signature: Decidim::OmniauthRegistrationForm.create_signature(oauth_data[:provider], oauth_data[:uid]),
    avatar_url: oauth_data[:info][:image],
    raw_data: oauth_hash
  }
end

Now, this works. 🙂

Footnotes

  1. https://github.com/decidim/decidim/blob/release/0.26-stable/decidim-core/app/commands/decidim/create_omniauth_registration.rb#L32-L34

  2. https://github.com/decidim/decidim/blob/release/0.26-stable/decidim-core/app/controllers/decidim/devise/omniauth_registrations_controller.rb#L84-L96

ghost pushed a commit that referenced this issue Nov 4, 2023
omniauth: prevent duplicating accounts
94a6d21 
Closes: #149
@ghost ghost mentioned this issue Nov 4, 2023
Merged
@basicavisual
Copy link
Member Author

Thank you @samanera ! very clean solution. this works as expected :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

omniauth: prevent duplicating accounts CodeandoMexico/decidim-monterrey
1 participant
@basicavisual