fix(auth): take best guess when multiple accts with same email (#13980)

Co-authored-by: SabreCat <sabe@habitica.com>
2026-05-22 21:57:03 +00:00 · 2022-05-19 15:32:03 -05:00 · 2022-05-19 15:32:03 -05:00 · 31385b3e7b
commit 31385b3e7b
parent 1f2c926a54
1 changed files with 18 additions and 9 deletions
--- a/website/server/controllers/api-v3/auth.js
+++ b/website/server/controllers/api-v3/auth.js
@ -1,5 +1,6 @@
 import validator from 'validator';
 import moment from 'moment';
+import sortBy from 'lodash/sortBy';
 import nconf from 'nconf';
 import {
  authWithHeaders,
@ -341,15 +342,23 @@ api.resetPassword = {
    if (validationErrors) throw validationErrors;

    const email = req.body.email.toLowerCase();
-    const user = await User.findOne({
-      $or: [
-        { 'auth.local.username': email.replace(/^@/, '') },
-        { 'auth.local.email': email },
-        { 'auth.apple.emails.value': email },
-        { 'auth.google.emails.value': email },
-        { 'auth.facebook.emails.value': email },
-      ],
-    }).exec();
+    let user = await User.findOne(
+      { 'auth.local.email': email }, // Prefer to reset password for local auth
+      { auth: 1 },
+    ).exec();
+    if (!user) { // If no local auth with that email...
+      const potentialUsers = await User.find({
+        $or: [
+          { 'auth.local.username': email.replace(/^@/, '') },
+          { 'auth.apple.emails.value': email },
+          { 'auth.google.emails.value': email },
+          { 'auth.facebook.emails.value': email },
+        ],
+      },
+      { auth: 1 }).exec();
+      // ...prefer oldest social account or username with matching email
+      [user] = sortBy(potentialUsers, candidate => candidate.auth.timestamps.created);
+    }

    if (user) {
      // create an encrypted link to be used to reset the password