@NigelG had a thread about this, I believe. It should just work, if someone is already logged in and then they authenticate with the social login, it should merge the accounts. I can’t find the thread from my phone, but I remember doing this myself when I set it up. I believe the trick is the user had to already be logged in by email before adding the social.
Thanks for the shared document. But @mvandrei configured that before.
The thing is, that if we create a user, using Sign up action in workflow section, the user will not be able to Sign in via his social network account which has the same email address.
A user with email [email protected] has been signed up on the Bubble app using his email and password.
That user decided to skip an optional step which should tie his Google account to the current one. So, he skipped the step and accounts weren’t tied.
He left the app. After a while he decided to come back for getting some articles. He noticed, that he doesn’t remember the password of the account. So, he cannot sign in.
He wants to sign in using a button Sign in via Google, because his Google account has the same email address which he used for creating the account.
In this case, he will be alerted, that the user with [email protected] is already in use.
By logic, that user is the owner of the email [email protected] which is used on both sides. In this case, the system should allow the user to sign in as the created user, even if the user didn’t tie his Google account before.
Basically, 2 or more persons cannot own the same email address. So, it isn’t dangerous.
BTW, a lot of platforms allow that. It would be great if Bubble will also allow this.
What you will achieve doing that?
You’ll not be able to reset your password, etc.
BTW, it is not a good view to not use email confirmation.
Hey @mvandrei, try this workflow.
- Get the user to login
- Show a button to connect Google/Facebook (You will have to use the API connector plugin to your Google App/Facebook App)
- Fetch the token, and make changes to the “User” record on your database for the “current user”
- Reuse the token for any API calls and then Refresh/ReAuthenticate when expired
See if the below post would help you build the API connector.
I totally agree with @lottemint.md here. If the user has already signed up with a social media account, and some time later he tries to sign up with a different social media account, if both social media accounts share the same email address, then it’s safe to assume that the user is the same and Bubble should sign him in instead of showing the current error ‘This email is already in use’.
I believe it’s bad user experience what is happening now…
What would happen if a user had signed up using say Facebook, an some time later he deleted his Facebook account, how would that user be able to sign back in?
If he uses a different social network to sign in, he won’t not be able to sign in as the email address will exist already. So effectively, this user would have to create a new account with a different email address, right?
Our engineering team reviewed this request and don’t believe it’s a good idea to auto-merge profiles if you first login with Facebook then try to signup with a regular login. This can be a security issue if someone guesses an email, adds a password and then gains control of an account.
But you can check the email address used by the social media account. Like when you login with facebook it can ask to check/see your email address and register that too.
Then, if you want to login via G+ or using gmail (in this scenario the facebook’s account is gmail), it will allow you and load your profile. So you can login with either: email, fb, g+
L.E. You’d also have to confirm that email address… so there is no security risk involved.
But what about if the users signs in the second time with a different social account, and not with the regular address? If this new social account authenticates the user, and the email address already exists in the database, merging accounts would not pose any security risk whatsoever. Why would this pose a risk?
Regarding the user trying to sign in with a regular account, I could agree with you that there would be a security risk if the website did not validate the email address by sending an actual email to that email address.
But I repeat, I don’t think there’s any security risk if the user tries to sign in using a different social account.
Finally, how do you suggest then we can solve the issue I described on a previous post, where a user had signed up initially with a social account (say Facebook), then he deleted his Facebook account, and then tried to sign in again to the website (using a different social account with the same email address, or regular email authentication)? Because right now this is an unsolved issue.
@mvandrei Is your point that socials require email verification already so this check does not need to be done on Bubble’s end?
@miguel Just want to make sure we understand the user flow for your multiple scenarios.
- User signs up through regular login
- While logged in, user authenticates with social 1 merging profiles
- While logged in, user authenticates with social 2 merging profiles -> Does this step give you an error? If it does, this is a bug.
- User authenticates with social
- User deletes social but that account is still retained on a Bubble app -> this step will not necessarily save social’s email to Bubble app. If the email is not saved to database and user tries to signup now with that email, the signup will be successful as a separate account
- User tries to signup with that deleted social’s email but gets an error -> What error do you see?
Yes and no. I mean, if you signup via social media you can have access to what email address that social media uses, right? And later, if the users wants to signup using the same email address, then it validates the email address previously used with that social media. If it’s a different one, it can link it with social media account. For example:
I want to signup via email. [email protected] Later, I want to skip the email and password step and just tap on facebook social media login option. I am using the same email address on that social media account ([email protected]) as I did via direct email authentication. Since it’s mine, I can merge the two of them, under one account. From now on, if I login via email or social media, I will end up on the same account.
And please make email address confirmation mandatory on bubble.If a user has bad intentions, it will signup using temp email that can be banned, or create fake ones, under custom domain names and tlds… But this will help on social media MERGING with email address under a single account.
in this case, we will require the user to (manually) associate an email address with that social media account.
It’s good as a backup plan too, in case something happens to the social media account.
@mvandrei If the email signup and social profile are already merged, you can login with either method going forward. The current limitation is that you have signup with email first then merge with social.
Good point about requiring email address confirmation for socials. We recommend doing this with workflows currently but an official approach can definitely help.
There’s precisely a missing Scenario, which is the one I have been trying to explain on several messages :
- User signs up on Bubble app using a social media account (say Facebook). Email address is stored in the database
- user deletes his Facebook account. Email address is still stored on Bubble app
- user tries to sign into Bubble app using a different social account (say Twitter), which shares the same email address as the one stored in Bubble app from Facebook login
- user cannot login because Bubble app says the email address is in use. User has to create a new account and lose all the information from previous account.
Also, the scenario described by @mvandrei is great. A user may sign in with any account (be it regular email -validated- or social accounts) and if they share email address, they are merged.
@NigelG, I don’t think it’s a question of whether it can be done or not. Of course anything can be done, using Auth0 or whatever else. I believe it’s a matter of Bubble providing a standard functionality that makes sense to the user and provides a good user experience. Forcing a user to remember which social account he used to first sign in, or forcing the user to create a new account in Bubble because he deleted the social account he first used to sign up is definitely not a good user experience, in my opinion.
Ok, agree that email address might not always be available on the social accounts (and in these situations, there’s nothing we can do about it), but if it is, and it’s the same, wouldn’t it make sense to merge the accounts, since we can safely assume the social accounts belong to the same user?
Also, if the user first used a social account (with an email address associated) to sign up, then deleted that social account, and then tried to sign back in to the Bubble app with the same email address (using a different social account), right now the user would not be able to sign in, unless the user used a social account with a different email address. This is a currently a problem with no solution as far as I know.