@mvandrei If the email signup and social profile are already merged, you can login with either method going forward. The current limitation is that you have signup with email first then merge with social.
Good point about requiring email address confirmation for socials. We recommend doing this with workflows currently but an official approach can definitely help.
Thereâs precisely a missing Scenario, which is the one I have been trying to explain on several messages :
Scenario 3:
User signs up on Bubble app using a social media account (say Facebook). Email address is stored in the database
user deletes his Facebook account. Email address is still stored on Bubble app
user tries to sign into Bubble app using a different social account (say Twitter), which shares the same email address as the one stored in Bubble app from Facebook login
user cannot login because Bubble app says the email address is in use. User has to create a new account and lose all the information from previous account.
Also, the scenario described by @mvandrei is great. A user may sign in with any account (be it regular email -validated- or social accounts) and if they share email address, they are merged.
@NigelG, I donât think itâs a question of whether it can be done or not. Of course anything can be done, using Auth0 or whatever else. I believe itâs a matter of Bubble providing a standard functionality that makes sense to the user and provides a good user experience. Forcing a user to remember which social account he used to first sign in, or forcing the user to create a new account in Bubble because he deleted the social account he first used to sign up is definitely not a good user experience, in my opinion.
Ok, agree that email address might not always be available on the social accounts (and in these situations, thereâs nothing we can do about it), but if it is, and itâs the same, wouldnât it make sense to merge the accounts, since we can safely assume the social accounts belong to the same user?
Also, if the user first used a social account (with an email address associated) to sign up, then deleted that social account, and then tried to sign back in to the Bubble app with the same email address (using a different social account), right now the user would not be able to sign in, unless the user used a social account with a different email address. This is a currently a problem with no solution as far as I know.
@miguel Thanks for confirming flow for scenario 3. The user in this case can click âforgot your passwordâ, enter the email associated with their social and then click the reset link delivered to their email. This works in our testing but please submit a bug report if you are still running into issues in your use case.
But Neerja, what if the user does not want to use regular email but only social accounts? In my case, I donât want to keep passwords in my Bubble app so I will only accept social accounts.
@miguel From a user-friendliness perspective, once an email account has been merged with a social profile, users can choose to use only social login going forward. From a security perspective, passwords are stored salted and encrypted in our database. While we cannot completely get rid off a password requirement at the moment, there are options for being social first in your app.
Hello @neerja, I think itâs possible to completely get rid of the password. Currently I can log in in my Bubble app for the first time with a social account, and it will automatically create a User (assigning the email address stored in the social account).
The problem is that now, if the user deletes that social account, he will not be able to log in again with any other social account sharing the same email address.
@miguel your use case is certainly complex with multiple social accounts and login status. Itâs possible âcurrent userâ changes between those under some conditions. However, from a cart perspective, if a user is logged out with items in a cart saved to a custom state and then logs in with a social account to complete the purchase, you can create a new cart thing for the logged in user with current userâs cart items. If you are not seeing expected behavior here, please submit a bug report with reproducible steps so we can test and address those corner cases.
If you look at the scenario I painted, I never mentioned that the user had saved cart items in a custom state. What I said is that modification to the temporary User thing were lost as the user got a new User instance.
The scenario I tested is for an already registered user who is browsing the site anonymously (hasnât logged in yet), then carries out actions which modify current temporary User, then tries to login with a social account different to the one used to sign up (nothing complex here, most people have multiple social accounts, and not always remember which one was used for which site), gets a âemail existsâ error, then automatically gets a new temporary User, thus losing all the changes made to the previous temporary User.
âHowever, from a cart perspective, if a user is logged out with items in a cart saved to a custom state and then logs in with a social account to complete the purchaseâ
Looks same so far
Issue seems to arise with âemail already existsâ error. If cart items are being deleted at this point, a bug report will be helpful with reproducible steps or others on this thread can suggest error-handling or workarounds.
Thanks a lot mvandrei and Miguel to share this problem with me. I was astonished to realize that this basic behavior problem was quasi ignored by the bubble team, while developing tons of other (great) features. If you guys find a solution let me know because I donât see how a serious app can work without solving this pb of regular/different social logins mergingâŚ
Well, unfortunately itâs not quasi-ignored, but in fact fully ignored, because as far as I know they are not going to implement the social accounts merging at logging in.
@nicolas.bousson 2 social accounts are already merged if you authenticate into one while logged into other. Please submit a bug report if youâre seeing something different. We understand there are corner cases which might not be handled as well and a bug report will help our engineering team for that.
@neerja, I think we have explained the situation several times already. The problem is when a user, who is not logged in, tries to log in with a different social account to the one he had used before to sign up. The fact that you currently allow for two social accounts to be merged when the user is already logged in is irrelevant, as it does not solve the issue we have explained.
A user with several social accounts (the vast majority) will not always remember which social account he used to sign up. It is not a corner case, it happens very often.
You mentioned a few posts back that your engineers decided not to implement this due to security reasons. I think it would be great if Bubble let its customers decide what has security implications and what not, because what you might think is dangerous, it might not be for some of your customers. You could have a checkbox to allow social accounts auto-merging at login, instead of not enable it at all.
Hi @neerja, thanks for your quick reply but the I could not answer better than miguelâs response below: the current merging (user already logged in trying to log again) is irrelevant in my use case (by the way, if a user is already logged in, I donât see why asking him to login again, it can be avoided just with a âUser is logged inâ condition), and I also think the problem miguel and mvandrei and me have (described extensively and with great details many times on this page) is the majority of cases and the one that bubble team should address in priority. The solution suggested by miguel, allowing us to decide if we take the risk of having a social media account usurpation, would solve my problem.