Login to the same account with google/facebook passport strategies

I currently have Google and Facebook login in my node.js app using Passport.js strategies. but each of them creates separate account because the current queries say: let user = await User.findOne({ facebookId: profile.id }); or let user = await User.findOne({ googleId: profile.id });
respectively.
I’m trying to make it log to the same account – so i guess the only option to do it is based on the email address like so: let user = await User.findOne({ email: profile.emails[0].value } );.

Is that sounds like a correct way? Is it safe? Any better ways?

thanks

Answer

It is a common way and it’s safe* as long the email address is provided by a source of truth.

By adding social login, you are accepting google or facebook as a source of truth for this app, so once you have validated the token signature, if you extract the email from the token itself or if you fetch the info from the social provider, it is a common practice to correlate it using the email address.

Be aware that once the account is “connected” using the email address. if the user changes the email (in your app or within the provider’s account) the connection will be broken.
Some web/apps notify the user about that.

*it is safe once you accept the fact that your provider is a source of truth.