0
votes

So i'm piggybacking on this post here:

Python Social Auth duplicating e-mails for different users

Here's my issue:

I provide a user with ability to signup either via regular email sign up, facebook auth or twitter auth.

I'm also using same package Social Django Auth App for the user login pages.

I realized that a user might try sign up with a Facebook account (associated to one email) and then try again later to register with Twitter (which could have the same email address). Based on the aforementioned post, I added a function to check for duplicate emails like so:

def check_email_exists(request, backend, details, uid, user=None, *args, **kwargs):
    email = details.get('email', '')
    provider = backend.name

    # check if social user exists to allow logging in (not sure if this is necessary)
    social = backend.strategy.storage.user.get_social_auth(provider, uid)
    # check if given email is in use
    count = User.objects.filter(username=email).count()

    success_message = messages.success(request, 'Sorry User With That Email Already Exists')

    # user is not logged in, social profile with given uid doesn't exist
    # and email is in use
    if not user and not social and count:
        return HttpResponseRedirect(reverse('accounts:sign_up', success_message))

and my pipeline with the function:

SOCIAL_AUTH_PIPELINE = (
    'social_core.pipeline.social_auth.social_details',
    'social_core.pipeline.social_auth.social_uid',
    'social_core.pipeline.social_auth.auth_allowed',
    'social_core.pipeline.social_auth.social_user',
    'social_core.pipeline.user.get_username',
    'dealmazing.utils.check_email_exists',
    'social_core.pipeline.social_auth.associate_by_email',  # <--- enable this one
    'social_core.pipeline.user.create_user',
    'social_core.pipeline.social_auth.associate_user',
    'social_core.pipeline.social_auth.load_extra_data',
    'social_core.pipeline.user.user_details',
)

UPON Testing--if i go to sign up with Twitter account of an already registered email address--it works. YAY!

BUT the main issue comes when i go to try to login via using either Facebook or Twitter. The function is checking on those logins as well and spitting me back the 'Email Allready Exists..' error.

So I somehow need to decipher between a login and a registration, but I'm having trouble finding how i actually do this with the social auth package.

Any ideas?

2
Aren't you duplicating the functionality of 'social_core.pipeline.social_auth.associate_by_email' ? As per documentation, it checks if the email already exists, and if this is the case the user is associated with the existing account.alv2017

2 Answers

0
votes

The difference between login and register is up to your project, it looks like in your scenario, a user landing in your pipeline function that matches an email in your DB should be considered like a login attempt and not a new singup. That's basically the functionality of associate_by_email method.

You might see the potential risk in this when a user uses a service that doesn't validate the email addresses, they can take control over somebody else account. You can mitigate this by doing validation on your end after any new social account is added, or by trusting services that are known to validate emails on their ends.

0
votes

I would say, that you have to remove from the pipeline

'social_core.pipeline.social_auth.associate_by_email'

Reason: your application is not supporting unique user emails in User data model, and you are getting yourself into trouble. If you are not verifying user emails, then the trouble might be even bigger.