Is there a way to tell what mechanism was used to login?

email

(Jay Pfaffman) #1

I got an email from a user who is having trouble resetting her password.

I’ve tried to reset my password to Literate Computing several time in the past three days. I have not received an email from the site with the reset link.

She attached a screenshot showing the “we found an account . . . you should receive an email” message. But she claims not to have received a message.

My guess was that she logged in using Google authentication and does not have a local password, but it would seem that if that were the case, she’d not have gotten that message, right?

On a related note, is there any way to tell whether a user account authorization is in the local database or done through Google (or twitter) auth?


(Jay Pfaffman) #2

Found it:

On the user admin page, you can click SHOW EMAIL and the “logins” field below shows “(Google)user@gmail.com”


(Jeff Atwood) #3

Remember you can log with traditional email / password in addition to logging in with Google, provided both logins map to the same email address. In fact you can log in with an unlimited number of different login methods, provided they all resolve to the same email address.


(Jay Pfaffman) #4

Hmm. Well, she still can’t log in. She said that when she tried to log in with Google and it asked her to make a new account. Currently, I’m hoping that she’s been trying to log in with a different Gmail address. (I know that she logged in originally with a personal account, but she may have thought she’d logged in with her University gmail account, which would explain the new account thing.)


(Jay Pfaffman) #5

That was it. She was trying to log in with a different email address.

The fact that she’d not received any reset password messages is presumably because she told Discourse the wrong email address. I understand that it’s good security practice not to give away that fact, but it made things more difficult this time.

Making systems foolproof is difficult because fools are so ingenious. :smile:


(cpradio) #6

There is a setting for that. The name escapes me but I know it exists


(cpradio) #7

Setting is forgot password strict


(Jeff Atwood) #8

And it is NOT on by default, e.g. we do tell people when we do not recognize their email.

(Not much worthwhile security theater here since attempting to create a new account would always forcibly reveal the existence of the email…)