And look, how much a security hole it is, if email and password registration is NOT verified (non-premium plans). For example, if somebody (evil person) registers the email identical with another person's Google login.
Then suddenly server cannot differentiate this person's session from another one, of the person using Google login, because req.session.user has no Identity Provider ID....
I am using traditional email+pdw authentication strategy with my FusionAuth setup, as well as Google login.
In my application (Express.js), I do
console.log(req.session.user);
I expected to find something like Identity Provider Id, visible in my admin UI of FusionAuth.
But no, there is not info to distinguish from email-pwd logins and Google logins, when Google Account email is the same as in traditional login's case?
Is it an expected behaviour?