Nowhere because it does not.
We can say the same about traditional login-password authentication - anyone with a valid e-mail can authenticate.
I did not mean to say that this app allows authenticating via e-mail. I just mean that allowing any user to authenticate (register) via his social network profile (what was done in this app) presents no more security risks that allowing anyone with a valid e-mail to authenticate (register) in some other app.
Yeah, maybe I should have pinpoint the fact that creating an account means authenticating as well, but this is clearly seen from the controller’s code. Will keep that thing in mind.