在我的网站上管理谷歌登录和常规用户登录的最佳方式

Question

I have a website where the user can create an account, given the basic user information like "username", "password", "e-mail", etc...

Now, I want to implement google sign-in, but im not sure how the back-end will be managed. Should I create a different table for google users, or merge it to the original user table, but the problem is the google sign-in has no password associated with it, do I make the password not required, generate a random password, or make the user create a password?

And what if the user wants to register through the regular means with the same e-mail, but it already used the google sign-in, should the account be merged with the original one so he doesn't loose his data?

Answer 1

what you are describing here is a problem that many websites have. I don't think that there is a right or a wrong answer.

From my experience: I would suggest to maintain a column in your user table that indicates the auth type. it could be "password" for users who login with password, and "google" for login with google users.

the password column should only be populated when the user actually uses the password auth mechanism. That is for security purposes to ensure no account take overs happen on accounts that are authenticated via other means.

If you want to allow users to "login with password", then you can implement a flow, that will:

• send a confirmation email to the user (so you know the person logged in has access to that mail account)
• when the user clicks the link asks the user to specify a password
• then save the password and update the authentication type.

Also - the other way around - when you have a user who has a password and then starts to click "login with google" - you should probably also have a flow to migrate the user to login with google.