Implementing account deduplication
The approach to implementing account deduplication is to override the backend functions / APIs which create a user such that:
- We check if a user already exists with that email.
- If a user does not exist, we call the original implementation; Else
- We return a message to the frontend telling the user why sign up was rejected.
Add the following override logic to ThirdParty
and EmailPassword
recipe configs on the backend
- NodeJS
- GoLang
- Python
- Other Frameworks
Important
import ThirdParty from "supertokens-node/recipe/thirdparty"
import EmailPassword from "supertokens-node/recipe/emailpassword"
import supertokens from "supertokens-node";
const recipeList = [
ThirdParty.init({
override: {
functions: (originalImplementation) => {
return {
...originalImplementation,
signInUp: async function (input) {
let existingUsers = await supertokens.listUsersByAccountInfo(input.tenantId, {
email: input.email
});
if (existingUsers.length === 0) {
// this means this email is new so we allow sign up
return originalImplementation.signInUp(input);
}
if (existingUsers.find(u =>
u.loginMethods.find(lM => lM.hasSameThirdPartyInfoAs({
id: input.thirdPartyId,
userId: input.thirdPartyUserId
}) && lM.recipeId === "thirdparty") !== undefined)) {
// this means we are trying to sign in with the same social login. So we allow it
return originalImplementation.signInUp(input);
}
// this means that the email already exists with another social or email password login method, so we throw an error.
throw new Error("Cannot sign up as email already exists");
}
}
},
apis: (originalImplementation) => {
return {
...originalImplementation,
signInUpPOST: async function (input) {
try {
return await originalImplementation.signInUpPOST!(input);
} catch (err: any) {
if (err.message === "Cannot sign up as email already exists") {
// this error was thrown from our function override above.
// so we send a useful message to the user
return {
status: "GENERAL_ERROR",
message: "Seems like you already have an account with another method. Please use that instead."
}
}
throw err;
}
}
}
}
},
}),
EmailPassword.init({
override: {
functions: (originalImplementation) => {
return {
...originalImplementation,
signUp: async function (input) {
let existingUsers = await supertokens.listUsersByAccountInfo(input.tenantId, {
email: input.email
});
if (existingUsers.length === 0) {
// this means this email is new so we allow sign up
return originalImplementation.signUp(input);
}
return {
status: "EMAIL_ALREADY_EXISTS_ERROR"
}
},
}
},
}
})
]
import (
"errors"
"github.com/supertokens/supertokens-golang/recipe/emailpassword"
"github.com/supertokens/supertokens-golang/recipe/emailpassword/epmodels"
"github.com/supertokens/supertokens-golang/recipe/thirdparty"
"github.com/supertokens/supertokens-golang/recipe/thirdparty/tpmodels"
"github.com/supertokens/supertokens-golang/supertokens"
)
func main() {
_ = []supertokens.Recipe{
emailpassword.Init(&epmodels.TypeInput{
Override: &epmodels.OverrideStruct{
Functions: func(originalImplementation epmodels.RecipeInterface) epmodels.RecipeInterface {
ogEmailPasswordSignUp := *originalImplementation.SignUp
(*originalImplementation.SignUp) = func(email, password, tenantId string, userContext supertokens.UserContext) (epmodels.SignUpResponse, error) {
existingUser, err := emailpassword.GetUserByEmail(tenantId, email)
if err != nil {
return epmodels.SignUpResponse{}, err
}
thirdPartyExistingUsers, err := thirdparty.GetUsersByEmail(tenantId, email)
if err != nil {
return epmodels.SignUpResponse{}, err
}
if existingUser == nil && len(thirdPartyExistingUsers) == 0 {
// this means this email is new so we allow sign up
return ogEmailPasswordSignUp(email, password, tenantId, userContext)
}
return epmodels.SignUpResponse{
EmailAlreadyExistsError: &struct{}{},
}, nil
}
return originalImplementation
},
},
}),
thirdparty.Init(&tpmodels.TypeInput{
Override: &tpmodels.OverrideStruct{
Functions: func(originalImplementation tpmodels.RecipeInterface) tpmodels.RecipeInterface {
ogThirdPartySignInUp := *originalImplementation.SignInUp
(*originalImplementation.SignInUp) = func(thirdPartyID, thirdPartyUserID, email string, oAuthTokens map[string]interface{}, rawUserInfoFromProvider tpmodels.TypeRawUserInfoFromProvider, tenantId string, userContext supertokens.UserContext) (tpmodels.SignInUpResponse, error) {
existingUsers, err := thirdparty.GetUsersByEmail(tenantId, email)
if err != nil {
return tpmodels.SignInUpResponse{}, err
}
emailPasswordExistingUser, err := emailpassword.GetUserByEmail(tenantId, email)
if err != nil {
return tpmodels.SignInUpResponse{}, err
}
if emailPasswordExistingUser != nil {
return tpmodels.SignInUpResponse{}, errors.New("Cannot sign up as email already exists")
}
if len(existingUsers) == 0 {
// this means this email is new so we allow sign up
return ogThirdPartySignInUp(thirdPartyID, thirdPartyUserID, email, oAuthTokens, rawUserInfoFromProvider, tenantId, userContext)
}
isSignIn := false
for _, user := range existingUsers {
if user.ThirdParty.ID == thirdPartyID && user.ThirdParty.UserID == thirdPartyUserID {
// this means we are trying to sign in with the same social login. So we allow it
isSignIn = true
}
}
if isSignIn {
return ogThirdPartySignInUp(thirdPartyID, thirdPartyUserID, email, oAuthTokens, rawUserInfoFromProvider, tenantId, userContext)
}
return tpmodels.SignInUpResponse{}, errors.New("Cannot sign up as email already exists")
}
return originalImplementation
},
APIs: func(originalImplementation tpmodels.APIInterface) tpmodels.APIInterface {
originalSignInUpPOST := *originalImplementation.SignInUpPOST
(*originalImplementation.SignInUpPOST) = func(provider *tpmodels.TypeProvider, input tpmodels.TypeSignInUpInput, tenantId string, options tpmodels.APIOptions, userContext *map[string]interface{}) (tpmodels.SignInUpPOSTResponse, error) {
resp, err := originalSignInUpPOST(provider, input, tenantId, options, userContext)
if err.Error() == "Cannot sign up as email already exists" {
// this error was thrown from our function override above.
// so we send a useful message to the user
return tpmodels.SignInUpPOSTResponse{
GeneralError: &supertokens.GeneralErrorResponse{
Message: "Seems like you already have an account with another method. Please use that instead.",
},
}, nil
}
return resp, err
}
return originalImplementation
},
},
}),
}
}
from supertokens_python import init, InputAppInfo
from supertokens_python.types import GeneralErrorResponse
from supertokens_python.recipe import thirdparty, emailpassword
from supertokens_python.recipe.thirdparty.asyncio import get_users_by_email as get_thirdparty_users_by_email
from supertokens_python.recipe.emailpassword.asyncio import get_user_by_email as get_emailpassword_user_by_email
from supertokens_python.recipe.thirdparty.interfaces import APIInterface, RecipeInterface as ThirdPartyrecipeInterface, SignInUpOkResult, APIOptions, SignInUpPostOkResult, SignInUpPostNoEmailGivenByProviderResponse
from supertokens_python.recipe.emailpassword.interfaces import RecipeInterface as EmailPasswordRecipeInterface, SignUpOkResult, SignUpEmailAlreadyExistsError
from typing import Union, Dict, Any, Optional
from supertokens_python.recipe.thirdparty.provider import Provider, RedirectUriInfo
from supertokens_python.recipe.thirdparty.types import RawUserInfoFromProvider
def override_emailpassword_functions(original_implementation: EmailPasswordRecipeInterface):
original_email_password_sign_up = original_implementation.sign_up
async def emailpassword_sign_up(
email: str, password: str, tenant_id: str, user_context: Dict[str, Any]
) -> Union[SignUpOkResult, SignUpEmailAlreadyExistsError]:
existing_user = await get_emailpassword_user_by_email(tenant_id, email, user_context)
third_party_existing_users = await get_thirdparty_users_by_email(tenant_id, email, user_context)
if (existing_user is None and len(third_party_existing_users) == 0):
# this means this email is new so we allow sign up
return await original_email_password_sign_up(email, password, tenant_id, user_context)
return SignUpEmailAlreadyExistsError()
original_implementation.sign_up = emailpassword_sign_up
return original_implementation
def override_thirdparty_functions(original_implementation: ThirdPartyrecipeInterface):
original_thirdparty_sign_in_up = original_implementation.sign_in_up
async def thirdparty_sign_in_up(
third_party_id: str,
third_party_user_id: str,
email: str,
oauth_tokens: Dict[str, Any],
raw_user_info_from_provider: RawUserInfoFromProvider,
tenant_id: str,
user_context: Dict[str, Any]
) -> SignInUpOkResult:
existing_users = await get_thirdparty_users_by_email(tenant_id, email, user_context)
email_password_user = await get_emailpassword_user_by_email(tenant_id, email, user_context)
if email_password_user is not None:
raise Exception("Cannot sign up as email already exists")
if (len(existing_users) == 0):
# this means this email is new so we allow sign up
return await original_thirdparty_sign_in_up(third_party_id, third_party_user_id, email, oauth_tokens, raw_user_info_from_provider, tenant_id, user_context)
is_sign_in = False
for user in existing_users:
if user.third_party_info.id == third_party_id and user.third_party_info.user_id == third_party_user_id:
is_sign_in = True
break
if is_sign_in:
return await original_thirdparty_sign_in_up(third_party_id, third_party_user_id, email, oauth_tokens, raw_user_info_from_provider, tenant_id, user_context)
# this means that the email already exists with another social or email password login method.
# so we throw an error.
raise Exception("Cannot sign up as email already exists")
original_implementation.sign_in_up = thirdparty_sign_in_up
return original_implementation
def override_thirdparty_apis(original_implementation: APIInterface):
original_sign_in_up_post = original_implementation.sign_in_up_post
async def sign_in_up_post(
provider: Provider,
redirect_uri_info: Optional[RedirectUriInfo],
oauth_tokens: Optional[Dict[str, Any]],
tenant_id: str,
api_options: APIOptions,
user_context: Dict[str, Any]
) -> Union[
SignInUpPostOkResult,
SignInUpPostNoEmailGivenByProviderResponse,
GeneralErrorResponse,
]:
try:
return await original_sign_in_up_post(provider, redirect_uri_info, oauth_tokens, tenant_id, api_options, user_context)
except Exception as e:
if str(e) == "Cannot sign up as email already exists":
return GeneralErrorResponse("Seems like you already have an account with another method. Please use that instead.")
raise e
original_implementation.sign_in_up_post = sign_in_up_post
return original_implementation
init(
app_info=InputAppInfo(
api_domain="...", app_name="...", website_domain="..."),
framework='...',
recipe_list=[
thirdparty.init(
override=thirdparty.InputOverrideConfig(
apis=override_thirdparty_apis,
functions=override_thirdparty_functions
),
),
emailpassword.init(
override=emailpassword.InputOverrideConfig(
functions=override_emailpassword_functions
),
)
]
)
In the above code snippet, we override the signInUpPOST
API (of the third party recipe) as well as the thirdPartySignInUp
and emailPasswordSignUp
recipe function.
The signInUpPOST
API is called by the frontend after the user is redirected back to your app from the third party provider's login page. The API then exchanges the auth code with the provider and calls the signInUp
function with the user's email and thirdParty info.
The emailPasswordSignUp
function is called by the API that handles email password sign up.
We override the thirdPartySignInUp
recipe function to:
- Get all ThirdParty or EmailPassword users that have the same input email.
- If no users exist with that email, it means that this is a new email and so we call the
originalImplementation
function which creates a new user. - If instead, a user exists, but has the same
thirdPartyId
andthirdPartyUserId
, implying that this is a sign in (for example a user who had signed up with Google is signing in with Google), we again allow the operation by calling theoriginalImplementation
function. - If neither of the conditions above match, it means that the user is trying to sign up with a third party provider whilst they already have an account with another provider or via email password login. So here we throw an error with some custom message.
Finally, we override the signInUpPOST
API to catch that custom error and return a general error status to the frontend with a message that will be displayed to the user in the sign in form.
We also override the emailPasswordSignUp
recipe function to perform similar checks:
- Get all ThirdParty or EmailPassword users that have the same input email.
- If no users exist with that email, it means that this is a new email and so we call the
originalImplementation
function which creates a new user. - Else we return the status that tells the user that the email already exists.
Multi Tenancy
For a multi tenant setup, the customisations above ensure that multiple accounts with the same email don't exist within a single tenant. If you want to ensure that there is no duplication across all tenants, then when fetching the list of existing users, you should loop through all tenants in your app, which you can fetch by using the listAllTenants
function of the multi tenancy recipe.