Forem: Email Change blocks user to log in with the same email

Thanks for the issue! We'll take your request into consideration and follow up if we decide to tackle this issue.

To our amazing contributors: issues labeled type: bug are always up for grabs, but for feature requests, please wait until we add a ready for dev before starting to work on it.

To claim an issue to work on, please leave a comment. If you've claimed the issue and need help, please ping @thepracticaldev/oss and we will follow up within 3 business days.

For full info on how to contribute, please check out our contributors guide.

Hi, there if this issue is up for grabs I would like to help.

@Rafi993, I’ve assigned the issue to you.

Thank you @nickytonline

On re-reading the original description, I'm not so sure anymore if I fully understand what the problem is. I recently changed the primary email address of my Github account, logged out of DEV, and logged back in again with the Github integration without problems.

• Switch username1's email with email2.

When you meant switch email did you mean changing email in github or in dev.to profile settings

@citizen428 I reported this because I’ve got 2 github accounts and I switched their emails a while back.

The account of Dev was made using this username, the one that I reported the issue from.

I can log into dev using ‘devreapr’ but then ‘devreapr’ isn’t the one which the email points too.

The email points to ‘barelyhuman’ and since I’m normally logged in via ‘barelyhuman’ i have to make sure i log out or maintain a different browser or relogin via incognito to access dev.to

• Switch username1's email with email2.

When you meant switch email did you mean changing email in github or in dev.to profile settings

Changed it on Github

Thanks for clarifying @devreapr! I'm looping in @rhymes here, as he did quite a bit of work around Github auth recently, but your case is somewhat uncommon I'd say.

as a fellow programmer, I'd suggest instead of going through the internals of where this is breaking, a simple input that updates the github username in the account settings would be an easier solution.

But then it might conflict with the implementation of auth.

We can have the user re-login on updation of username. If there's any other conflicts with the github auth, let me know , we can figure out an easier solution. I'm not a ruby dev or I'd pick the issue up.

This is @devreapr btw...

I don't think we currently support switching a DEV account to a different github account though. Your github identity in DEV is tied to the github user ID, which is going to be the first one you've signed in with, no matter the email.

as a fellow programmer, I'd suggest instead of going through the internals of where this is breaking, a simple input that updates the github username in the account settings would be an easier solution.

this is not possible, as it will make squatting a real possibility. Nothing would stop me to use someone else's Github username if they have never signed in in DEV before.

I think currently you have one options:

1. sign in with Twitter
2. go to https://dev.to/settings/account and scroll at the bottom, detach your Github account from DEV
3. re-login with the new Github account

There's no simple way to verify that github account 2 belongs to you as a phisical person as well, thus allowing the user to switch arbitrarily to another github account solely based on the username would be bad.

Not solely based on the username,
I'll rephrase the flow.
I go into settings, change the username for the github, it verifies if the same email is assigned to the existing email id in the database if yes, a change is allowed, if not then an error is thrown.

Anyway, don't have a twitter account and wouldn't wanna make one for this, I guess I'll raise a request to delete the account and recreate with the current github id

Not solely based on the username,
I'll rephrase the flow.
I go into settings, change the username for the github, it verifies if the same email is assigned to the existing email id in the database if yes, a change is allowed, if not then an error is thrown.

Anyway, don't have a twitter account and wouldn't wanna make one for this, I guess I'll raise a request to delete the account and recreate with the current github id

But how to you verify that github account is valid or there is no another email associated with that account or that github is yours... I think it may introduce too many permutations to deal with. I may be wrong

@barelyhuman please email [email protected] to see if support can merge your identities then, please don't delete your account :)

I go into settings, change the username for the github, it verifies if the same email is assigned to the existing email id in the database if yes, a change is allowed, if not then an error is thrown.

good point!

I did try that, I was forwarded to raise a ticket for the same and thus, the issue exists.

@Rafi993
The lowest amount of permutations that I see is with a simple check with github api's user endpoint, this can be during login or as a cron job , though the cron job will be very heavy for dev.to but during login it checks a combination of email and username instead of just username and uses that to update it's own database with the new email.

because it's not just going to be my issue, imagine someone who's deleted the account off github but the same was used with dev.to , someone else has access to the account now. It's not a very common issue but it's possible.

@barelyhuman please email [email protected] to see if support can merge your identities then, please don't delete your account :)

I go into settings, change the username for the github, it verifies if the same email is assigned to the existing email id in the database if yes, a change is allowed, if not then an error is thrown.

good point!

I think @rhymes you are better equipped to deal with this issue please feel free to change assignee.

Not solely based on the username,
I'll rephrase the flow.
I go into settings, change the username for the github, it verifies if the same email is assigned to the existing email id in the database if yes, a change is allowed, if not then an error is thrown.
Anyway, don't have a twitter account and wouldn't wanna make one for this, I guess I'll raise a request to delete the account and recreate with the current github id

But how to you verify that github account is valid or there is no another email associated with that account or that github is yours... I think it may introduce too many permutations to deal with. I may be wrong

Github verifies the emails for you already, all you need to check is if the email and username combination in dev.to's tables are the same as the one that github just sent. if github sent new email then well, update it.

I still see how a user deleting the account would cause an issue , I'll rethink that strat

This was my bad @devreapr (or @barelyhuman 🙂)... I was the one speaking with you via yo@ and got mixed up. I'll reconnect with you in that email chain shortly and do my best to help you solve this. Sorry for all this back'n'forth!

This was my bad @devreapr (or @barelyhuman 🙂)... I was the one speaking with you via yo@ and got mixed up. I'll reconnect with you in that email chain shortly and do my best to help you solve this. Sorry for all this back'n'forth!

It's all cool bro, it's software, there's always going to be an edge case. would be happy to help with fixing it, if no one picks it up then I might just learn ruby and get to it.

Thanks for picking this up @michael-tharrington and thanks for offering help @barelyhuman! However, what you're suggesting is not how most sites leveraging OAuth work, so we need to be mindful of that when trying to come up with a solution.

Understood, I did get the idea on how we can get this working.
@rhymes mentioned before that someone could go through and add in a twitter and then can disconnect Github, why not just have that disconnect part without him having to add in twitter login?

Detailed Flow

User comes to Settings / Account

Connections

Disconnect from Github <= User clicks

Modal opens up

"You will no longer be able to log into this account if you don't have any other social login setup, kindly rethink what you are doing" (this can be better in a 100 ways, but you get the idea)

Cancel | Okay
----x-----

if the user now forgets to add in a github account or a twitter account, it's on them but if I reconnect github at this point, It will just connect to the current logged in one.

This solution seems to already be in place in dev.to only thing we have right now is that the disconnect button is missing when only one social account is connected.

@rhymes @citizen428 any blockages that this could cause on the current flow?

@barelyhuman how is the website supposed to know that dev.to/bob belongs to Bob if they forfeit their identity? We would need some verification system in place. I think total disconnect from third parties could be achieved if and when we'll have a Forem identity, right now there has to be one account tied to the user.

That is the point of the warning modal.
So

"Change Github Account" => Warning Popup Saying he needs to disconnect the current one to connect to another one => "Disconnect Github" => he's taken to the github oauth screen , the new account is connected => Transaction Complete.

Any point if it fails to complete the previous github account stays. So the site never really has a dangling 3rd party pointer, it's going to be the old one or the new one

I don't know what a forem identity is so I'm not sure how I can reply to that.

For now a forem identity isn't anything, it's just an idea of a possibility of having an identity with username/password/2fa tied to the site, which would allow people to connect and disconnect third parties as they please.

Your idea seems sensible, I think that currently we don't support multiple identites tied to the same provider which would be a pre-requisite for the "switch".

Food for though definitely though, thanks!

Makes sense.

I went through the models and saw that you are using an enabled flag for the identity.
for the above mentioned change flow, you can have 2 rows of the same provider with one being enabled:false and one being enabled:true but then you'll have to change the validation to be an index of combination of both the provider and the enabled flag key to avoid duplications.

if the change is successful the disabled record is deleted. if the change fails then the disabled record is re enabled and the newly created one is removed.

This is based on my assumption that everything else is actually used the enabled flag and it won't cause a break anywhere else.

I might be totally wrong though, so that's that

Your idea seems sensible, I think that currently we don't support multiple identites tied to the same provider which would be a pre-requisite for the "switch".

This is something I definitely wished for in the past, so 👍 for at least looking into the feasibility of this change.