Freecodecamp: Login issue: changing the email is not case-sensitive and leads to duplicate accounts

Created on 16 Mar 2019  Â·  11Comments  Â·  Source: freeCodeCamp/freeCodeCamp

Describe the bug
__TL;DR__ – first signed up with GitHub (which has _email # 1_ set as primary). Lately changed the email on FCC to _email # 2_ and since then unable to log in using any of the available methods.

I have two emails:

  1. @gmail.com
  2. other.domain

On GitHub, I have the first one as a primary email and the second one as a secondary.
IIRC, I first signed up to FCC with GitHub, so the letters were going to my first email.

Then I set my email at FCC to the second one and this is where the fun begins.

What happens when I try to log in using different methods:

| Method | Account |
| ------------- |----------------------|
| with GitHub| newly created account # 1 |
| with email # 1| newly created account # 1 |
| with email # 2| newly created account # 2|
| with Google| newly created account # 1 |

As you can see, no method allows me to log into my original account.

Email bindings shown in each of the accounts:

| Account | Bound email |
|------------------|-------------------|
|original account| email # 2|
|newly created account # 1| email # 1|
|newly created account # 2| email # 2|

My session cookie is still present in one of the browsers and when I try to change the email back to # 1, it says that it is already bound to another account, which is fair enough.

api bug
Source
picture WofWca

All 11 comments

Does something need to be clarified?
It's not a "Help" issue, it's a bug report.

WofWca picture WofWca on 28 May 2019

What if you try to change your account #1 email to some other email - then go to the browser that's still logged in with the original account, and change the email back to email #1 - or if you're still logged in on a browser with your original account, maybe change the email to a new email and see if that will allow you on to your original account. It doesn't get to the root of the problem, but it may get you back on to your original account.

@freeCodeCamp/dev-team

moT01 picture moT01 on 7 Jun 2019

Hi @WofWca

Thanks for your report.

Can you send me an email mrugesh at freecodecamp dot org with details of your emails.
I'll fix up your account, and investigate the root cause and possible fix there on.

raisedadead picture raisedadead on 7 Jun 2019

@moT01 I no longer have this session.
@raisedadead I've sent an email, the subject is as the name of the issue.

WofWca picture WofWca on 8 Jun 2019

I can see that we indeed have two accounts for each of your emails listed in the email. For all intents and purposes, we only use email as the primary identifier of your account.

So, it literally depends on what a provider returns us as an email address to lookup and sign you into the account.

For example:

First email: [email protected]
Changed email: [email protected]

Scenario 1:

  • When you sign-in through email, you must use your changed email "[email protected]", using the old email will indeed create a new account for "[email protected]".
  • We do not track old emails per account as a measure of privacy.

Scenario 2:

  • When you sign-in through social providers like GitHub, they should be returning us the changed email, or indeed it will simply create a new account for the email they returned to us.
  • We do not bind email to social provider again for privacy reasons.

Essentially by design, we will create or return an account as per the authentication method used.

raisedadead picture raisedadead on 18 Jun 2019

Well, the thing is – there are now three accounts. The original one is this one.

WofWca picture WofWca on 18 Jun 2019

Okay, I found the issue. Thanks for the additional information. This indeed is a validation bug, when someone changes email.

So, when you entered your email on the update form in settings:

You entered something like: MyNewEmail@example.com, this was stored on our DB as is without sanitising it to lowercase. And the providers will always return lowercase emails. We unfortunately treated this incorrectly.

If you are okay, I am going to delete your 'new accounts' and restore the email that you intended as per the change lower-cased, which should give you access back to your original account.

As for the fix, I'll audit the code and get back to you.

raisedadead picture raisedadead on 18 Jun 2019
👍1

If you are okay, I am going to delete your 'new accounts'

I don't use them, so yeah.

WofWca picture WofWca on 18 Jun 2019

@WofWca thanks for confirming, I have updated the email to be lowercased on your original account and removed the new accounts. Can you test this and let me know, if it's all fixed.

raisedadead picture raisedadead on 18 Jun 2019

Yep, it's working.

WofWca picture WofWca on 18 Jun 2019
👍1

The fix for this is dependent on #36776

Bouncey picture Bouncey on 9 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jurijuri picture jurijuri  Â·  3Comments
Tzahile picture Tzahile  Â·  3Comments
MelissaManning picture MelissaManning  Â·  3Comments
trashtalka3000 picture trashtalka3000  Â·  3Comments
QuincyLarson picture QuincyLarson  Â·  3Comments