In create_oauth, link existing email account #290
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
To elaborate, suppose we create an account
[email protected]
PASSWORD
in the username-password registration flow.
Before this change, if you were to use the
[email protected]
Google OAuth, then you would create a new OAuth account. This is clearly undesireable behavior.
There are two approaches we can take to address this.
We can reject the registration, explaining in depth that the email [email protected] is already taken by an email account. This is likely to be frustrating for the user, but it doesn't do any "sneaky action at a distance".
We can silently merge the email and Google OAuth accounts if we detect that there is already an account with the email [email protected]. I believe this is the better approach to take.
This might be a worse approach in something like an online game, where people might want to have multiple, separate accounts. But RoboList does not fall into that category. For here, users are merely a set of permissions associated with a set of authentication procedures, and taking the union of both is maximally convenient for the user. So merging accounts is almost always good.
Now, there is an odd thing that can happen. If I were to register on GitHub with [email protected], and then use that to register for RoboList, and then change it on GitHub, RoboList would still be using the email [email protected]. This might be surprising for some users, but it will be fine so long as we build the settings page and are very clear to the user about what email is associated with their account.
My philosophy for the "read email from OAuth token" is merely to populate the email field with an educated guess. Because having multiple registration/login flows is always going to be a little finnicky by nature, we are not going to try and perpetually tie the user's email account with their GitHub/Google email.