Change email doesn't work for an OAuth'ed account


(Jacob Hoffman-Andrews) #1

At community.letsencrypt.org, one of our users signed up using GitHub. They had an old, dead email address on their GitHub account. After signing up with Discourse, they removed the old, dead email address from GitHub. However, it’s still present in Discourse. When they go to their preferences page and try to update to a new email, they get a message saying a confirmation email has been sent. However, they never receive a confirmation email. When I change my own email, I do get the confirmation. Could this be linked to the OAuth setting? What should I do to further debug / fix?

Thanks,
Jacob


(Hexa) #2

Hey @jsha!

Would it work if you had the user remove the connection between GitHub and Discourse and reconnect it?


(Jacob Hoffman-Andrews) #3

@Hexa, I’ll ask, thanks!


(Hexa) #4

No Problem! Let me know if you have any other questions!


(Jacob Hoffman-Andrews) #5

Follow-up: Are you proposing to remove the connection at the Discourse end or the GitHub end? If you’re proposing to disconnect it at the Discourse end, where is the UI for that? And will the user be able to still log in once they’ve removed the OAuth connection?


(Kane York) #6

Is this user a moderator? Staff members must confirm email changes on both the old and new addresses to stop account takeovers.


(Jacob Hoffman-Andrews) #7

They are a moderator. So are you saying that if I remove the moderator bit, they’ll be able to change email address?


(Jacob Hoffman-Andrews) #8

Awesome, that fixed it! Thanks so much!

Feature request: When doing email changes for moderators, it would be nice to include messaging about the dual-confirmation requirement, either in the Web UI when submitting the request, or by sending mail to both old and new addresses in parallel, and including a note about the dual confirmation in the mail that goes to the new address.