From what I can tell, if I’ve already created an account with my email address (say, via GitHub), then I sign out, then sign in in via another service (such as Facebook) where I have the same e-mail, I’m logged in to my Discourse account with no further steps.
Here’s why this is a bug:
Say Alice has an email address, and a Facebook account, but not a Twitter account. She signs up for an account in Discourse using her Facebook account.
Later, Eve creates a Twitter account with Alice’s email address. Twitter lets you use an account without verifying the email address, so she then signs in to Discourse with this Twitter account. Discourse sees this Twitter account has the same email as Alice, and so logs Eve in as Alice.
Associating a new endpoint with an existing account should require verification from an already-authorized endpoint.
f this link is still relevant I am not sure how discourse can associate the twitter account with an existing account email.
@stuartpb you a pointing out a possible weakness. Discourse should not rely on flowed oauth provider. (not saying that twitter is). If it is known that a common oauth provider does not verify email address Discourse can not rely on the email given by that provider.
But as it appear it is an hypothetical scenario.
also this is not going to solve this concern if the first verified user happened to be the user verified by a flowed oauth provider.
Associating a new endpoint with an existing account should require verification from an already-authorized endpoint.
How would you propose achieving that? If you’ve linked your account to Google+, and then attempt to link the same account to Facebook, Discourse can’t ask Google+ for verification.
Or, when somebody logs in from a new endpoint, you prompt them to log in with one of the methods they’ve already authorized (so Password or Facebook is valid in the given example).