Task/fix oauth for existing users#406
Conversation
|
|
📝 WalkthroughWalkthrough
ChangesRegistration Allowance Refactor
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
⚔️ Resolve merge conflicts
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
packages/trpc/src/routers/auth.ts (1)
92-96: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winKeep the OAuth registration check on the callback’s new-user path.
Line 94 now lets every OAuth flow start, but the supplied stack says the OAuth callback only got a whitespace change. That means self-hosted deployments with registration disabled can still create new OAuth users. Move
getIsRegistrationAllowed(inviteId)to the OAuth callback branch that creates a user when no existing account is found.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/trpc/src/routers/auth.ts` around lines 92 - 96, The registration gate for OAuth was moved too early in signInOAuth, which now blocks or allows the entire OAuth start flow instead of only the new-user callback path. Keep getIsRegistrationAllowed(inviteId) in the OAuth callback branch that handles the no-existing-account case, and only apply it right before creating a new user there so existing users can still complete sign-in while registration-disabled deployments cannot create new OAuth accounts.apps/api/src/controllers/oauth-callback.controller.tsx (1)
100-114: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick winLink OAuth accounts instead of rejecting existing users
apps/api/src/controllers/oauth-callback.controller.tsx:100-114
handleNewUserstill throws when the email already exists, so a user who signed up with email/password can’t finish GitHub/Google OAuth. This path should attach the OAuth account to the matched user instead of erroring.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/api/src/controllers/oauth-callback.controller.tsx` around lines 100 - 114, The existing-user branch in handleNewUser currently throws a LogError when db.user.findFirst returns a match, which blocks OAuth sign-in for users whose email already exists. Update handleNewUser to link the OAuth provider account to the matched user instead of rejecting it, using the existingUser, oauthUser, and providerName data in apps/api/src/controllers/oauth-callback.controller.tsx, and only fall back to an error if account linking cannot be completed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@apps/api/src/controllers/oauth-callback.controller.tsx`:
- Around line 100-114: The existing-user branch in handleNewUser currently
throws a LogError when db.user.findFirst returns a match, which blocks OAuth
sign-in for users whose email already exists. Update handleNewUser to link the
OAuth provider account to the matched user instead of rejecting it, using the
existingUser, oauthUser, and providerName data in
apps/api/src/controllers/oauth-callback.controller.tsx, and only fall back to an
error if account linking cannot be completed.
In `@packages/trpc/src/routers/auth.ts`:
- Around line 92-96: The registration gate for OAuth was moved too early in
signInOAuth, which now blocks or allows the entire OAuth start flow instead of
only the new-user callback path. Keep getIsRegistrationAllowed(inviteId) in the
OAuth callback branch that handles the no-existing-account case, and only apply
it right before creating a new user there so existing users can still complete
sign-in while registration-disabled deployments cannot create new OAuth
accounts.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 109a2641-b9fe-40e1-bf63-8981b8cd099d
📒 Files selected for processing (3)
apps/api/src/controllers/oauth-callback.controller.tsxpackages/trpc/index.tspackages/trpc/src/routers/auth.ts
Summary by CodeRabbit
New Features
Bug Fixes