Signing with twitter, no password to change when wrong email entered

steveazz_

What happened:
1. So I signed up with tiwtter Oauth to create an account here.
2. Type in a valid email address which is not mine
3. Go change my email address in admin
4. Ask me for password (don't have one since I signed in with twitter)
5. Tried my twitter password, doesn't work

luceos

steveazz_ your twitter password doesn't work here, the oauth service allows you to identify yourself to Flarum. OAuth provides some details to the application (Flarum) like e-mail address and name, but absolutely not the password. The only way for one application to share a password is by storing it in cleartext and that by default is the highest security risk you can ever have.

Unless I misinterpreted your question.

jordanjay29

No, I think he ran into the same problem as I did. When you register with a SSO, Flarum doesn't give you the chance to set a password to make auth changes. I believe it's related to flarum/core674, which was "fixed" by removing the SUDO mode (that required a password for these changes).

It's possible there was a regression or it wasn't fixed properly for Twitter. Or that I'm off base here.

steveazz_

jordanjay29 I haven't tried the sudo mode since I signed up to the forum. But will defently try to reproduce it on my own installation and see if the SUDO mode fixes it.