logic for account merge suggestion

[trungpham]

what is the code for figuring out if two accounts need to be merged?
is it based off email address?

[joscha]

Merging is detected if a person is currently logged in with Account A and logs in with Account B without signing out of Account A before. So the merging actually does not happen by email address (which would be dangerous as for example not all OpenID providers will guarantee the validity of the email address), but by the actual authentication user.

What exactly happens at the time of merging can be controlled from within the UserService - there is a method merge which has to be overridden if merging is enabled.
By default Play Authenticate will ask if the user wants to merge accounts - to automatically merge, you can set the setting play-authenicate.accountAutoMerge to true
You can also disable account merging completely by setting play-authenticate.accountMergeEnabled to false.
Have a look here at the available config options

[joscha]

If you want to prevent users from creating multiple accounts that have the email address, you might want to do that in the save method of the UserService - instead of creating a new user, you can just return an existing local user - be careful however with using the email address for that. Facebook for example does not guarantee the validity of the linked email address. Additionally if there was a security breach at lets say Google that would allow users to add arbitrary email addresses, this would immanently make your app vulnerable as well.

If you are using OpenID providers, you can only trust them for the authentication part as well - not necessarily for the delivered user information, as anybody might just set up their own OpenID provider.

[workturtle]

Joscha - Thanks for the pointer on how to force multiple accounts to be the same with the same email address. I followed it and augmented the code as follows. Please let me know if I'm doing it correctly. Thanks in advance.

In User.java:

public static User findByEmailIdentity(final EmailIdentity identity) { return User.findByEmail(identity.getEmail()); }

In MyUserServicePlugin.java:

@Override public Object save(final AuthUser authUser) { final boolean isLinked = User.existsByAuthUserIdentity(authUser); if (!isLinked) { if (authUser instanceof EmailIdentity) { EmailIdentity emailAuthUserIdentity = (EmailIdentity) authUser; User user = User.findByEmailIdentity(emailAuthUserIdentity); if (user != null) { return user; } } return User.create(authUser).id; } else { // we have this user already, so return null return null; } }

In MyUsernamePasswordAuthProvider.java:

@Override
protected String generateVerificationRecord(
        final MyUsernamePasswordAuthUser user) {
  User u = User.findByAuthUserIdentity(user);
  if (u == null) {
    u = User.findByEmailIdentity(user);
  }
    return generateVerificationRecord(u);
}

[joscha]

Looks fine, yes - in your last section in MyUsernamePasswordAuthProvider the variable u still might be null if the user has not be found by neither the auth user identity nor the email identity - you might be ending up generating a verification record for a non-existing user in that case, so you should make sure that this piece of code gets never called in the first place.
Also your code assumes emails to be valid, which might not be the case at all times (see first comment on this issue).