Checking for pre-existing accounts from a different flow when using social connect

2025-11-01 00:07:39 +03:00 · 2017-10-05 12:06:05 +03:00 · 2017-10-05 12:06:05 +03:00 · 945008d326
commit 945008d326
parent 42d039b473
3 changed files with 22 additions and 2 deletions
--- a/rest_auth/registration/serializers.py
+++ b/rest_auth/registration/serializers.py
@ -1,6 +1,7 @@
 from django.http import HttpRequest
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
+from django.contrib.auth import get_user_model

 try:
    from allauth.account import app_settings as allauth_settings
@ -111,6 +112,20 @@ class SocialLoginSerializer(serializers.Serializer):
            raise serializers.ValidationError(_('Incorrect value'))

        if not login.is_existing:
+            # We have an account already signed up in a different flow
+            # with the same email address: raise an exception.
+            # This needs to be handled in the frontend. We can not just
+            # link up the accounts due to security constraints
+            if(allauth_settings.UNIQUE_EMAIL):
+                # Do we have an account already with this email address?
+                existing_account = get_user_model().objects.filter(
+                    email=login.user.email,
+                ).count()
+                if(existing_account != 0):
+                    # There is an account already
+                    raise serializers.ValidationError(
+                    _("A user is already registered with this e-mail address."))
+
            login.lookup()
            login.save(request, connect=True)
        attrs['user'] = login.account.user
--- a/rest_auth/tests/requirements.pip
+++ b/rest_auth/tests/requirements.pip
@ -2,3 +2,4 @@ django-allauth>=0.25.0
 responses>=0.3.0
 flake8==2.4.0
 djangorestframework-jwt>=1.7.2
+djangorestframework>=3.6.4
--- a/rest_auth/tests/test_social.py
+++ b/rest_auth/tests/test_social.py
@ -275,8 +275,12 @@ class TestSocialAuth(TestsMixin, TestCase):
            'access_token': 'abc123'
        }

-        self.post(self.fb_login_url, data=payload, status_code=200)
-        self.assertIn('key', self.response.json.keys())
+        # You should not have access to an account created through register
+        # by loging in through FB with an account that has the same
+        # email address.
+        self.post(self.fb_login_url, data=payload, status_code=400)
+        # self.post(self.fb_login_url, data=payload, status_code=200)
+        # self.assertIn('key', self.response.json.keys())

    @responses.activate
    @override_settings(