I’m trying to authenticate user using facebook API with passport js and for local authentication i modified default username authentication to email , but while authenticating using facebook if user denied sharing email my app is getting crashed and if i’m using user facebook id to authenticate ,user is able to authenticate both using local strategy and facebook also which should’nt happen … what changes should i do ?
Make sure that the Facebook sign-in provides the email.
Treat the Facebook sign-in and the email sign-in as 2 different accounts
My recommendation - Option 1
- Sometimes users don’t have emails in their Facebook account
- Asking the user to change their sharing settings might make them uncomfortable even though your intent is a simple sign-in
- It makes for a bad user experience for us to ask them to change their Facebook data to sign-in to your platform. This beats the point of providing easy sign-in through 3rd party accounts.
Hope this helps!
What if i use multiple social login like facebook , google , twitter should i consider all the accounts different ? As signup using 3rd party app always ask users if they want to share their mail ids
In theory yes, you should consider them as different accounts.
The problem with that is, it complicates somethings for the user.
- Users don’t usually remember their sign-in method.
- User mistakenly signs in through another method, and finds all his/her posts missing.
To avoid this confusion
- Use as few options as possible
- If your sign-up process is just email and password, think about cost vs benefit of providing 3rd party logins
- Try a programmatic way to handle the cases where you can.
Let me elaborate on the 3rd point. If the 3rd party sign-in provides an email, cross check if it exists already and show a message, that the “User with this email already exists”. This helps the user understand that he has already tried a different sign-in earlier on.
This solution is hence just a combination of the initial point (to treat all 3rd party logins separately) and an additional check if the email is provided in 3rd party sign-in.