-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Users are able to register with identity and impersonate oauth accounts #23
Comments
hmm I wonder if there's an alternative UID for the google authorization we could use instead of an email so that the linkage isn't there :\ |
I haven't yet merged the google integration, I think we should hold off until we to the bottom of this. |
@mercury2269 I believe this is the offending line: https://github.com/hassox/phoenix_guardian/blob/ueberauth-guardian/web/auth/user_from_auth.ex#L73 That should not lookup the user when current_user is nil. I'm wondering if it should do it at all really. Looking at it I don't think it should. Thoughts? |
Maybe before creating a new user from authorization there should be a check to see if the user already exists with the same email address and fail if it does. |
I see 2 possibilities.
I changed create_user_from_auth so that you have to be logged in to connect a user to an existing account. defp create_user_from_auth(auth, current_user, repo) do
user = current_user
if !user, do: user = repo.get_by(User, email: auth.info.email)
if !is_nil(user) and is_nil(current_user) do
{:error, :user_exists}
else
if !user, do: user = create_user(auth, repo)
authorization_from_auth(user, auth, repo)
{:ok, user}
end
end |
It seems like a bug, to reproduce.
The text was updated successfully, but these errors were encountered: