JavaScript GitHub Authentication

Daniel Conde
Daniel Conde
3,881 Points

Why use email as the matching criteria in User.findOneAndUpdate()?

Why should we use the email field to match received OAuth provider's profile data to our internal user data? If a GitHub-authenticated user (User-A) changes their email address on GitHub they would no longer be able to access their account on our app. This could also lead to a security problem where another user (User-B) uses User-A's old email on GitHub and now User-B can log into User-A's account in our app.

IMO profile.id should be used instead of profile.emails[0].value

2 Answers

Igor Yamshchykov
Igor Yamshchykov
18,723 Points

Your right, using email as a primary key is not a good idea in those cases, when it can be changed, but on the other hand emails are unique and querying emails with index can be fast enough. About the security problem you've mentioned, user B won't be able to use User A old email address without confirmation and besides if User A will change his email, querying the database with his old one will either return null or will return results of User B profile, as he's now using email of User A.

Ran ShemTov
Ran ShemTov
14,148 Points

Emails are being used as criteria all around the world for their uniqueness. No matter which other criteria you will think of, usually emails would be the most unique option available.

The workaround the problem you introduced, in my opinion, would be to get some additional data from the social network, and see if it exists, and than take an action. For example, I would use email to authenticate users using the facebook login. But! I would also compare their emails and facebook id to what I have in my database. If the comparison fails, I would have to think of some kind of action.

To process this even further: My personal action would be to let them log in manually, and reauthenticate facebook when they are already logged in, in some way. This way I'm sure it's really the user, he has the password, he's already logged in, AND he can wire up his facebook account with my application. When it's done, I'll update the details, and everything's fine again.