How can I detect if a user already singed with a social account on my website and now wants to create a normal account?

How can I detect if a user already singed with a social account on my website and now wants to create a normal account?

How do I detect the changes?

My personal vision on this:

Let the user sign in with social auth then add the email in the database(mongo) but with no password?

Also when the same user wants to register on the website with the same email but without the social auth and a password, i should redirect him to his profile info from the social auth like username?

An example of what I am talking about:

User signs with google+ on stackoverflow

Then after a while comes back to sign for an account with the same email but a different password.

What is the best way to deal with this situation also from the GDPR standpoint can I use passport for this?

Thank you

When a user registers with social auth, you can also prompt for password (if you wish so) or create an account without it. Next time when a user registers using the same password, you should show an error message 'Email is taken'. In that case, user should receive an automated email that there was an attempt to use his email containing information on how this account was created (e.g. with Google+) - as a reminder.

Using social accounts for auth isn't safe and asking for password (requesting long passwords with special characters, upper/lower case letters) adds a little bit to the overall security. And Two-Factor Authentication takes it to the next level. For most websites, it should be secure enough. Temporarily blocking accounts after a number of unsuccessful attempts is easy to implement and protects from brute forcing.

Alternatively, a user should have an option to restore access to his account by means of requesting a password recovery URL to be sent to the email attached to the account. Then a user is prompted to input password that will be saved for the given account. Thus a user can log in to his account using email/password or the social auth that was used to create it.

With regards to GDRP, a user should be able to:

• see what social accounts are connected to the profile and be able to detach them
• delete his account (the right to be forgotten)
• see what data is stored on him and export it (data portability)
• modify data (Right to rectification)
• opt-out/in for getting promo emails
• manage advertising Cookies

There should be clear T&C provided with a full description of what data is stored, why and for how long.

Additionally, security (2FA, https, etc.)

This is in a nutshell ...