Sign in through GitHub

Please read for an updated status on RailsCasts:

Learn more or hide this

Mike Ni's Profile

GitHub User: mikeni

Comments by Mike Ni

Avatar

How do celluloid actors mix with rails, especially active record?

Avatar

How does chef compare to puppet?

Avatar

another issue is, now that the oauth info is in the cookie, it is only erased if the an account is created

since no one logged in yet, it still says logged out, so the user may leave the computer physically, and if a stranger decides to create an account, since it says logged out, that person will add your oauth to his email account.

after checkout out other websites like path.com and quora.com, it seems there is only two ways to do it correctly.

either you have users create and account with a password then link the oauth, path and quora do this

or the other way is you have the oauth itself be the current_user and don't have a user model. many content sites and news sites do this.

Avatar

ok so all the problems come from if the user authenticates via oauth but there is no one logged in.

suppose you didn't active confirmable, a malicious user could have registered an account with your email, you can't assume if the email is the same it is the same person. basically you need the user to authenticate as a user in devise as well as authenticate via oauth to link them

ryan did get it right where he creates a user with the same email if the user doesn't exist.

the problem is if a user account already exists with the email and its not logged in.

so in that case, user.save will fail, but then do you redirect to registrations or sign in?

i would think redirecting to sign in would be better since you don't want the user to be trying to create an account with the same email as he once did before.

Avatar

there is a case the logic doesn't handle correctly in my opinion

suppose you create a user
bob@aol.com

now you log out

ok now you sign in with facebook
it will not find a provider , and not find current_user, which then
will create a new User and try to save it, however that new user will have the same email as the provider, so it will consider duplicate and not allow the user to save

Avatar

facebook won't be around in 10 years, i need my own login