I think this is more of a bug than anything, but our authentication requires people to sign up with a social provider (Twitter, GitHub, etc). Sometimes the account doesn't have an email associated with it, whether it's because of:
- a bug on our end,
- a bug on the provider's end,
- the provider account does not have an email associated (for ex. Twitter phone number sign up)
For #3 specifically, it causes problems on a Forem's end, because we end up having no way of contacting the person if we need to.
What do you all think? I think we should fix this "bug" and ensure that people signing up have an email associated with them, but curious to hear people's thoughts if they think otherwise.
Top comments (4)
I 100% agree! Ensuring that a user has an associated email will also be beneficial for preventing spam signups, contacting users (in the off-chance that we need to for security + safety purposes). It also allows for fallbacks for password resets and allows us to "verify" someone's identity through email confirmation π
I think we need a better flow of accounting for this in onboarding. So yes, they're allowed, but we immediately make people fill in their email upon registrationβ just to close the loop on necessary functionality.
We should fix the bug, but the fact that we've always wanted to err dramatically on the side of "not spying on you", so with DEV the fact that we have this bug is not the end of the world.
yes, this is a security issue. you should also make sure to verify the address to, and prevent people from posting until they have verified. i think twitter requires this.
no. or rather, make it a config option