Summary
Users who authenticate through multiple OAuth providers using the same verified email address can end up with multiple independent accounts instead of a single linked identity.
This fragments profile data, cards, follows, analytics, and connected integrations.
Affected Files
- auth.ts
- oauth.ts
- userService.ts
Root Cause
OAuth account creation appears to prioritize provider identity over verified email reconciliation.
When a user signs in with a second provider, the authentication flow creates a new account rather than linking the new provider identity to the existing account associated with the same verified email address.
Reproduction
- Sign up using Google OAuth.
- Create cards and profile data.
- Log out.
- Sign in using GitHub OAuth with the same verified email address.
- Observe that a second account is created.
- Compare profile and card ownership between both accounts.
Expected Behavior
OAuth providers sharing the same verified email should resolve to the same user account and link identities appropriately.
Actual Behavior
Separate user accounts are created for the same individual.
Why This Is Difficult To Detect
Most testing focuses on a single OAuth provider.
The issue only appears when multiple providers are used with the same verified email address.
Production Impact
- Duplicate user accounts
- Split profile ownership
- Lost cards and follows
- Confusing login experience
- Fragmented analytics
Suggested Fix
Implement verified-email reconciliation and provider linking before account creation.
Severity
High
Summary
Users who authenticate through multiple OAuth providers using the same verified email address can end up with multiple independent accounts instead of a single linked identity.
This fragments profile data, cards, follows, analytics, and connected integrations.
Affected Files
Root Cause
OAuth account creation appears to prioritize provider identity over verified email reconciliation.
When a user signs in with a second provider, the authentication flow creates a new account rather than linking the new provider identity to the existing account associated with the same verified email address.
Reproduction
Expected Behavior
OAuth providers sharing the same verified email should resolve to the same user account and link identities appropriately.
Actual Behavior
Separate user accounts are created for the same individual.
Why This Is Difficult To Detect
Most testing focuses on a single OAuth provider.
The issue only appears when multiple providers are used with the same verified email address.
Production Impact
Suggested Fix
Implement verified-email reconciliation and provider linking before account creation.
Severity
High