-
Notifications
You must be signed in to change notification settings - Fork 386
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot Turn Off Automatic Account Merging #209
Comments
This is a good suggestion @wiverson. Just curious, why do you want to turn off automatic merging? |
Working on an entertainment title. User has a public professional profile for GitHub and a personal profile for Twitter. User creates account with GitHub, but now can't create account with Twitter. People have different (public) identities on different services even if they have the same (private) email address. |
Also, seems like a potential security issue, although depends on how elaborate an attack scenario & trust levels for things like abandoned/semi-abandoned accounts. 🤷♂️ |
This actually gets worse the more social accounts that are supported. For example, I'd like to support people logging in with Google, Discord, Twitch and email/pass. It's very easy to imagine people having very different avatars for those accounts that reflect very different identities - for example, they may have their work photo associated with their Google account, and a personal "fun" account photo for their Discord/Twitch identity. It would be nice to be fancy and offer things like an API to allow users to select their preferred profile. I can offer custom avatars, but that's getting a bit further away from the simplicity. My particular case is for a game for streamers, so I'd like users to be able to log in with an identity that matches the streamer's identity. For example, if the streamer is hosting a game on Twitch, I'd like folks to be able to use their twitch identity. If the streamer is hosting on Discord, I'd like to support that. RIght now, once someone is registered with an email address, that's it. If they register on Twitter first, I can't get their Discord or Twitch id - I just get the Twitter account back. Basically, supabase is just taking a very simple merge strategy - "hey, same email, same person, done" but unfortunately it's quite a bit more complicated than that. The short term solution is to just allow turning off merge - then if someone logs in with Twitter, I get their Twitter identity. Twitch, Discord, email/pass, whatever. If supporting account linking in the future, add the needed APIs. My two cents - let me know if there is anything I can do to help. :) |
Somehow related to this: https://github.com/supabase/supabase/issues/2556 I also think of this somehow, where people nowadays try to create multiple account for example they use FB for personal things account and Google for maybe branding account that can be possible with same email address |
Hi everyone, we currently don't have plans to support manual linking of accounts in the near future. Currently, GoTrue only supports automatic linking of accounts based on the user's email. We will revisit on the future though, so feel free to follow along on #313 |
Describe the bug
Supabase automatically merges different provider accounts by email address.
To Reproduce
Expected behavior
Couple of different options - Firebase has a flow for this scenario, but it's a bit complicated IMHO:
https://firebase.google.com/docs/auth/web/account-linking
Suggestion:
Create a switch in Supabase UI that defaults to off - "Allow Account Merging". If it's off logging in with different providers creates different accounts - the end.
The text was updated successfully, but these errors were encountered: