2

I have a general question about building a user system with Omniauth: When I enable more than one authentication method I want to make sure, that a user can't sign up again through an other provider - whether it's accidentally or on purpose. My attempt was to check the email address, this is what works for most providers.

But when I add authentication via Twitter this system fails since Twitter won't publish the email of the user.

So the only way I could figure out was to add a second step of registration when signing in via Twitter (or any other login provider that doesn't publish the email) and I'm just wondering if there are any more convenient ways to do this?

Any help or suggestions are appreciated!

Community
  • 1
  • 1
Andre Schweighofer
  • 2,759
  • 1
  • 26
  • 25

2 Answers2

0

You will have the same issue with LinkedIn. Also, I personally use a different email for every site I join. So, even if you requested my email that would not help you identify me. If you are only using Omniauth and not Devise also, you could check every time the user logs in to see if they are logged in with other services as well and merge the accounts. That seems unnecessary though because people are usually signed into their twitter/fb accounts all the time. As long as you are checking both before serving the registration page, you should be golden. If you are really trying to stop people from having multiple accounts, you either need to require and verify a cell phone number or rely strictly on a single provider that does.

Wilhelm
  • 820
  • 8
  • 10
0

All you really care about is has the user authenticated and once s/he has, you only need to track the user id of who authenticated and what service they used to authenticate. So if a person is logged in under twitter and tries to log in under Facebook, your code needs to know the user_id (not the UID if you followed Ryan Bate's railscasts) associated with that twitter user and that facebook user needs to have same user_id. You will still let him authenticate using second service but final step will be to check what service user_id is logged in under (verses the one they JUST logged into. if the services are different it means they tried to sneak in under second service. and you can handle it.

user1191500
  • 9
  • 2