parse-server: Parse.FacebookUtils.logIn is creating new users when Facebook ID already exists.

We have been using a very simple flow to log in users using Facebook that has been working for almost a year and a half, and now it has stopped working.

We use Parse.FacebookUtils.logIn to log in an existing user, or creating a new one.

var facebookAuthData = {
    "id": <fb_id>,
    "access_token": <fb_access_token>,
    "expiration_date": <fb_expiration_date>
};
Parse.FacebookUtils.logIn(facebookAuthData, {
    success: function(user) {
        if (user.isNew()) {
            // New user....
        } else {
            // Old user...
        }
    },
    error: ...
});

But it’s happening that although there is an existing user in the database with the exact <fb_id> that we pass to Parse.FacebookUtils.logIn(), it is creating a new user instead of login the existing user. Furthermore, this “new” user is created with a weird/random “username” in the database.

Some more details:

  • Parse server version: 2.8.2. FB Graph version 3.0.

  • We only see the issue in our “Production” environment. This is a Heroku dyno with a mongoLab add-on. Note that it uses a replica set.

  • Our development environment uses a free-tier Heroku dyno, with a mongoLab add-on without a replica set. We DON’T see the issue here.

  • New users that have never logged in, can successfully log-in using Facebook, and re-login Ok. The ones that are having trouble were old users that logged in through Facebook a while back (using FB Graph v2.2).

  • After Parse.FacebookUtils.login() returns a “new” user when it shouldn’t, when we try to save to the new user (i.e. to set the email), the error returned by parse can be inconsistent. Sometimes it will say “code=203, message=Account already exists for this email address.” (since we had previously created the user and assigned the email address), but if I manually delete the malformed new user, sometimes instead of creating another malformed user, it will just say “Invalid access token”. Very weird.

  • I’ve tried with older versions of Parse Server too (like 2.7.4) and the same issue happens.

I’ve tried for days trying to understand why this is happening with no luck. Any help appreciated, especially since this one reached our Production environment and previously FB logged users are being locked out.

Thanks in advance for the help.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 2
  • Comments: 25 (16 by maintainers)

Most upvoted comments

Fixed. Nice!

+1
tai-x on Jul 17, 2018

@tai-x you can try the branch fix/issue-4897 it should fix the issue. If you’re using npm >= 6, you can use the branch directly by setting the parse-server dependency to https://github.com/parse-community/parse-server#fix/issue-4897

+1
flovilmart on Jul 17, 2018

@tai-x this is exactly the conclusion I was reaching now. In recent versions the user object follow ACL’s and it is possible that legacy users without any ACL are getting locked out.

The new feature was introduced so a developer can close a user’s account without deleting it by marking the ACL completely private.

There are 2 ways to fix it for 2.8.2:

  1. Add read/write ACL to the user himself so he can access and therefore login.
  2. Fix on the server for this case that was overlooked.

For now you can stick to 2.7.4 or update your old user’s ACL’s so they can read themselves.

I’ll be working on a patch for this

+1
flovilmart on Jul 17, 2018

As per @cbaker6 comment, I re-tested using Parse 2.7.2, and the issue does not happen. Confirmed in 2.8.2.

+1
tai-x on Jul 16, 2018
Read more comments on GitHub
← parse-server: Parse.Cloud.startJob not returning jobStatusId
parse-server: ParseFile save fails on parser-server after migration: Unable to encode an unsaved ParseFile →