Architecture for merging multiple accounts and registering a user account

Question

My question is almost the same as this one

only difference is that users has an option to register (provides his username and password).Users should only have one account registered, if the user has the same email I merged those accounts. and my application has another method for logging in which is via Facebook.

What I basically do is

• When The User visits the for site for the first time, he or she then gets created a User Account where the it only has Username ,password and mail address after that third-party identity record is created and then paired with the local account.however the Users table will have an empty Username and password, but the email will be filled with the users email that we have retrieved from the third party service provider

And the Second Scenario

• Users attempts Register to the site. check if email exist if the email exist but it is registered using a third party account, Use the user populated form and insert it to the user account paired with the third party account, in short if the users email exist in the database I will just merged the locally created account and the third party account.

Now my question is my approach secure and credible? if not what is the best way to merge accounts and at the same time if the user registers with the same email(the one from the third party account) and he has a third party account, those account would be merge?

Answer 1

The way I look at this, there is only one account. One email, one account period. There might be various attributes associated with that account, like for e.g. linked to a set of OAuth credentials etc. But fundamentally there is only one account. If your user has registered once using a social account and then try to register again on your site, send them over to the social site which they used to register the first time and ask them to login there. Then log them into your site automatically. If the user has an account with your site and then tries to register again with a social account, tell them that you already have an account on the site and ask them to login. IMHO, keeping separate accounts and trying to merge them is a messy idea.

Answer 2

I would provide two sets of behavior, one when logged in and one when logged out.

When logged in, you provide the ability to link to new third-party accounts. For example, you sign up with email address and password, then log in, then you can link your Facebook account. To link your Facebook account you authorize with Facebook and then store the Facebook information in that user account record.

When logged out, you must log in with existing credentials. If, when logged out, you try to create an account with an existing email address, you either prevent the log in, saying "an account with that email address already exists", or you immediately challenge the user to log in to merge the account (in which case it works like the logged in case when linking an external account, only with the order of authentication operations reversed).

In case it's not clear from the above, I recommend having a single user account and a way to record linkages between that account and external accounts. You can do this in NoSQL buy just adding fields to the user document or you can do this relationally by having a table representing external accounts with a foreign key linking them to the user ID.