Allow account linking for Google and SAML providers (#6874)

* allow account linking for self-hosted instances, both Google and SAML are verified emails * allow account linking for Google and SSO if emails match with existing username/password account * Tweaked find user by email since we now have multiple providers (other than credentials provider)
2023-02-08 18:39:56 +00:00 · 2023-02-08 18:39:56 +00:00 · 01db31c899
parent f7523b77a6
commit 01db31c899
2 changed files with 10 additions and 2 deletions
--- a/apps/web/pages/api/auth/[...nextauth].tsx
+++ b/apps/web/pages/api/auth/[...nextauth].tsx
@ -164,6 +164,7 @@ if (IS_GOOGLE_LOGIN_ENABLED) {
    GoogleProvider({
      clientId: GOOGLE_CLIENT_ID,
      clientSecret: GOOGLE_CLIENT_SECRET,
+      allowDangerousEmailAccountLinking: true,
    })
  );
 }
@ -202,6 +203,7 @@ if (isSAMLLoginEnabled) {
      clientId: "dummy",
      clientSecret: "dummy",
    },
+    allowDangerousEmailAccountLinking: true,
  });
 }

@ -497,7 +499,13 @@ export default NextAuth({
            return true;
          }

-          if (existingUserWithEmail.identityProvider === IdentityProvider.CAL) {
+          // User signs up with email/password and then tries to login with Google/SAML using the same email
+          if (
+            existingUserWithEmail.identityProvider === IdentityProvider.CAL &&
+            (idP === IdentityProvider.GOOGLE || idP === IdentityProvider.SAML)
+          ) {
+            return true;
+          } else if (existingUserWithEmail.identityProvider === IdentityProvider.CAL) {
            return "/auth/error?error=use-password-login";
          }

--- a/apps/web/pages/api/auth/signup.ts
+++ b/apps/web/pages/api/auth/signup.ts
@ -43,7 +43,7 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
      OR: [
        { username },
        {
-          AND: [{ email: userEmail }, { password: { not: null } }, { username: { not: null } }],
+          AND: [{ email: userEmail }],
        },
      ],
    },