medusa-plugin-auth get back error when already exists | Medusa Community | Page 1

idle junco Jun 5, 2023, 5:25 AM

#

This is to prevent any security issue, if you want to allow that for your user, you need to add the auth provider in the metadata and set it to true

severe tapir Jun 6, 2023, 12:02 AM

#

idle junco This is to prevent any security issue, if you want to allow that for your user, ...

hi thanks for your response, I am not sure what security issues associated with it, but if the user sign in with Google the first time, and i see right now with default, if they login again i get back the error. is it not good to allow user continue with Google everytime?

idle junco Jun 6, 2023, 5:20 AM

#

The is the default behaviour of that plugin, if the user sign in with google, the auth will be using google and the user won’t be able to use another method

What I understand from your first question is that someone is trying to log in with google, but the email already exists and it means that the user sign in with his email. Therefore the email become his auth method

#

If you look at the documentation the behaviour and flow is described on each page for each method 😅

regal torrent Jun 11, 2023, 6:38 AM

#

@idle junco wouldn't the correct flow be to link both auth methods just like firebase handles such cases?

idle junco Jun 11, 2023, 6:46 AM

#

I am not sure but that is something you can decide yourself by changing the callback. The security issue would be that someone could authenticate on your behalf through another provider.

Lets take the following scenario :

you use a classic email/pass account
someone hack you email account
this person go to authenticate using another provider (here the email provider) and gets authenticated to your account

In most cases the platform does not allow that.

regal torrent Jun 11, 2023, 4:00 PM

#

@idle junco I think if you get your Gmail hacked, your online store account is your smallest problem at this point. Feel free to disagree. If I login with Gmail in Medusa store and my gmail gets hacked then the protection is basically zero. Is it really worth the dev discomfort given the attack serface it covers? Your example above is good but what percentage of the use cases does it cover given how easier it is to create social login in Medusa vs user/pass that users have to remember/save?

idle junco Jun 12, 2023, 6:44 AM

#

I see, what we could have is an extra option for the plugin (strict) and by default it is, but if you disable it it let you do what you are asking? Wdyt?

brisk ibex Jun 12, 2023, 3:50 PM

#

Just to add my thoughts, I would LOVE such an option.

regal torrent Jun 12, 2023, 5:11 PM

#

@idle junco sounds good

idle junco Jun 13, 2023, 7:46 AM

#

@brisk ibex @regal torrent I ve started to add the support of the options https://github.com/adrien2p/medusa-plugins/pull/84, just need to find time to finish it. Let me know what do you think

regal torrent Jun 13, 2023, 12:40 PM

#

@idle junco is there an option to keep the auth method of the user in DB. For instance if I know that a user has logged in with user/pass then i should offer password reset functionality. But if the user has registered with google then it is not needed? Thanks

#medusa-plugin-auth get back error when already exists