account.get() does not check if Appwrite account is still linked with Google auth.

Yaveen · 2025-02-04T10:44:52.398Z

This is problematic... Users can simply just unlink from the Google website, and Appwrite just... doesnt know??

TL;DR

Developers are discussing issues with checking if an Appwrite account is still linked with Google auth. One developer suggests using `account.getSession('current')` to handle this, while another developer mentions potential solutions involving refreshing tokens or checking Google's API directly. They debate between automatically deleting sessions or implementing an unlink feature for better user experience. Ultimately, the recommendation is to allow users to delete their account or block it instead of retaining a "zombie" account. The discussion concludes with a reminder that Appwrite accounts are separate from specific authentication technologies and a request for the original user to clarify their use-case for further assistance.

unlink google account

button goes to the unlink google account page

and yk the user can unlink

this page

isn't that a bit problematic because on my side, the only form of auth is google 🤔

For good user experience, you can delete the session afterwards automatically, and they wont be able to sign-in again. Keep in mind this leaves a "zombie" account which cannot be accessed, but isn't deleted; you still store their data.

My recommendation here would be ability to delete, or block the account instead.

In my opinion, unlink makes more sense where there are multiple providers, and you want to unlink a specific one (often to link to same provider but with another account)

by delete the session afterwards automatically, how would i be able to do that?

like a) on button press, session is deleted b) or when detect unlinked, session is deleted

also the zombie account is fine

OAuth providers usually allow a redirectURL - they redirect user there after changing configurations to OAuth permissions.

So that would be B).

But honestly, A) doesnt sound too bad - if they decide not to delete and come back, they can simply sign-in again. And it's simpler to implement than B)

say we go for B,

how would that work?

because the only solution that I could find was to use user = account.get() and see what's inside user.prefs

but theres nothing in there

oh the other way was to get the oauth google token and check that with google's own API but idk how to get the token

You can do account.getSession('current'), and it sohuld have both refresh token, and access tokens (tokens used to do calls to Google APIs on behalf of the user)

oh whaaatt ok

so im assuming its just like

TypeScript

try {
  account.getSession('current');
} catch (e) {
  console.log("Unable to log in user", e);
  handleLogout(); // or whatever
}

or would account.getSession('current') return something

That would check for Appwrite user, same as account.get(). You need something like (pseudo code)

TypeScript

session = accoutn.getSession(current)
token = session.accessToken
response = fetch(api.google.com/v1/users, {
  headers: { authroization: token } 
})
if(response.ok is false) {
  handleLogout();
}

ok lemme take a look

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support