A user already exists with that email address

«User is already registered with this e-mail address.» #409

Comments

EvanZ commented Feb 6, 2018

Trying to implement a FB login flow. I upgraded to v.0.9.3 because I thought it fixes the bug where you are already signed up via email. However, it now seems that the code knows the user is registered but doesn’t sign him in anyway. I am getting the access_token just fine from FB. I have tried both the /rest-auth/facebook/ and /rest-auth/facebook/connect/ endpoints, although not quite understanding the difference. At any rate, they are both resulting in the same 400 error.

The text was updated successfully, but these errors were encountered:

EvanZ commented Feb 7, 2018

I found these comments in the latest commit:

Couple questions. Why is this a security issue? Isn’t the whole point of social authentication that you trust the OAuth provider? Second, how is one supposed to handle this in the frontend? It’s a common occurrence that people sign up for email first (often simply because a site or app adds social login later in the development cycle). It seems to me the only option this leaves me with is to tell the user «Sorry, you can only login with your email account.» Is that true?

philippeluickx commented Feb 8, 2018

maxim-kht commented Feb 8, 2018

Thank you @philippeluickx, yes it is implemented in the latest version by @aleksihakli and can be used via /rest-auth/facebook/connect/ view.

@EvanZ The difference between /rest-auth/facebook/ and /rest-auth/facebook/connect/ is, connect view only works after you logged in as a regular user via email and you wish to attach social account to this existing user. Here’s more info in the docs: http://django-rest-auth.readthedocs.io/en/latest/installation.html#additional-social-connect-views.

In order to use social connect view you need to

EvanZ commented Feb 8, 2018

Thanks @maxim-kht. I understand now.

aleksihakli commented Feb 9, 2018 •

@EvanZ and others: As previously stated in the thread it is possible that social authentication providers do not check the validity of user credentials.

For example, it’s possible to register a Facebook account with a phone number and then set a bogus email. I’m not sure if Facebook verifies all email addresses when setting them. This could lead to a login getting federated from Facebook to a custom backend using django-allauth and django-rest-auth and someone hijacking your account.

This is why it’s important to only connect social accounts when the user connecting them is logged in to their normal account.

We went through some different providers and scenarios in a past project and deemed that this was a legitimate problem as e.g. allauth has a whopping list of 63 supported providers. We couldn’t verify that all of them legitimately check the validity of user email addresses and other information; hence automatically connecting the accounts is very problematic.

EvanZ commented Feb 9, 2018

At least with FB, they tell you whether an email is verified or not. If they say it is verified, my understanding is that is a guarantee they verified it. I don’t know about how other social providers do it. From my perspective, it would make more sense to enable the library users to «trust and verify» the social auth providers that they use, and not force one way of thinking, but it is not my project, so not my choice to make. I understand now the security issue, which is important, and the tradeoffs. I will continue using this library because there really aren’t any good alternatives from what I’ve seen, and I don’t want to reinvent the wheel at all. Thanks for all your efforts!

aleksihakli commented Feb 9, 2018

I guess you could implement the trust settings if you’re inclined. I think it’s not sound security-wise to allow implicit connection of different user accounts, only explicit where both are verified and logged in. This sports more use cases as well, I think.

Footer

© 2022 GitHub, Inc.

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

How to check if user with email already exists?

I’m trying to prevent registration with a previously registered email. I tried to create a custom validation in mongoose schema. but it gave me an error ValidationError: User validation failed at MongooseError.ValidationError. The code is down bellow. Can some one tell me where is the error or a better way to check if the user email exists in db.

Router

3 Answers 3

Trending sort

Trending sort is based off of the default sorting method — by highest score — but it boosts votes that have happened recently, helping to surface more up-to-date answers.

It falls back to sorting by highest score if no posts are trending.

Switch to Trending sort

The best way to check if the e-mail id already exists in the database or not is by using express-validator. Since, there upgrade to version 4, the API has changed. Now, instead of using:-

..in your app.js file, and then calling the middleware. Instead, just do this in your users route file:-

Now, to check if the e-mail id already exists in the database, you will have to use Promise. Here’s a working code:-

You can similarly do this to check for the username also. Here is the link to the official GitHub page of express-validator

You can use email-check package for checking whether the user had been previously registered (whether there is a duplicate email address inside email field).
Here is the link for downloading the package https://www.npmjs.com/package/email-check

By writing unique: true property inside Models will provide mail address to be not repetitive. But you should also include email-chack validation which you can do inside Router

emailCheck returns a Promise. Note: I am using ES6 syntax.

That’s all. Your UserSchema can stay without any validation.

«An account already exists with the same email address» without a switched account

Part of Google Cloud Collective

I’m experiencing a very weird issue with the Firebase Auth using Facebook. A month ago I’ve created a test user in Facebook to log in with like I always do, when I try to use it now, I get this error:

I’ve seen this error before when people move from Facebook to Google with the same email. HOWEVER, this is not the case. This dummy Facebook user is totally not linked to a Google account. I can also find it’s email address back in the Firebase console where it is still marked as Facebook:

This issue first appeared in the same timeframe as an upgrade of the Facebook plugin and SDK. I’ve however retested this account now on the old plugin and SDK versions and the issue remains, so this seems to be a coincidence.

Other accounts seem to work but we had a similar issue in our production environment which we now think could have been the same. This gives us the opportunity to fully debug this one.

Extra information: The (web)app runs on Angular (Ionic cordova). We are using the firebase.auth.FacebookAuthProvider, the error appears on both the Cordova (firebase.auth().signInWithCredential) as web (afAuth.auth.signInWithPopup) version. The network calls to Facebook and Googleapis seem to be ok and return the correct identity (see screenshot 2), it seems as if the Firebase package is incorrectly giving this error.

Console error:

Firebase Identitytoolkit Network response:

In firebase login getting error «An account already exists with the same email address but different sign-in credentials» in android

Part of Google Cloud Collective

Here am trying to implement Google, Facebook and Twitter login using firebase.

I have faced many scenario which was not clear for me.

Each individual login is working correctly, I didn`t found any problem here.

My requirement is when the user log-in with xxxxx@gmail.com for the first time with some provider(Google,Facebook,twitter) and after success, user logged out. On second log-in the user use same id xxxxx@gmail.com with some other provide rather than one used before,that time We should not allow the login process. User need to log-in with the same provider from next time.

For first time when in log-in using xxxxx@gmail.com using google, after success popup i logged out. For second time i try to log-in using same id xxxxx@gmail.com using Facebook or twitter its throws an error «An account already exists with the same email address but different sign-in credentials».

For first time when in log-in using xxxxx@gmail.com using twitter or Facebook, after success popup I logged out. For second time I try to log-in using same id xxxxx@gmail.com using google. It does not showing any Exception. Here I need to notify the user «xxxxx@gmail.com is associated with twitter or Facebook, Use same provider to login «

I don`t know whats happening in second case.

For this id xxxxx@gmail I have google, Facebook and twitter account.

Part of Google Cloud Collective

My app has gmail and facebook authentication integrated through Firebase. I noticed if someone signs up with their gmail then signs up with Facebook, if the Facebook had the same email as their gmail then they’ll get the error:

«The email address is already in use by another account.»

Is the only reasonable way to handle this to tell the user to sign in with different credentials? Maybe show a message like «Email already in use, please sign up with different account»?

3 Answers 3

Trending sort

Trending sort is based off of the default sorting method — by highest score — but it boosts votes that have happened recently, helping to surface more up-to-date answers.

It falls back to sorting by highest score if no posts are trending.

Switch to Trending sort

There are 3 ways in which you can handle this problem.

The first one is to verify if the email address exists and than display a message. This is exactly what you said. The message is up to you.

The second approach is to enable users to have multiple accounts per email address. With other words, if a user signs up with gmail and then signs up with Facebook and he has the same email address, than he ends up having 2 different accounts. A single email address, 2 different accounts This is not a good practice but according to your needs, you can even use it.

The third approach is to have only one account per email address. This means that you are preventing the users from creating multiple accounts using the same email address with different authentication providers. This a common practice and also the default rule in the Firebase console. This means, that you’ll want to implement later another kind of authentication with another provider, it will follow the same rule. In this case, will have a single email address with a single account.