Merge pull request #16 from initstring/codex/fix-oauth-login-flow-behavior

Fix Google OAuth linking to existing accounts

Author: initstring

src/server/auth/config.ts

@@ -197,6 +197,9 @@ export const authConfig = {
           GoogleProvider({
             clientId: process.env.GOOGLE_CLIENT_ID,
             clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+            // We trust the locally provisioned accounts and block unknown e-mails in the
+            // sign-in callback, so allow Auth.js to link Google users directly by e-mail.
+            allowDangerousEmailAccountLinking: true,
           }),
         ]
       : []),
@@ -241,8 +244,32 @@ export const authConfig = {
         const emailAddr = (user as { email?: string | null } | undefined)?.email?.toLowerCase();
         if (!emailAddr) return false;
         try {
-          const existing = await db.user.findUnique({ where: { email: emailAddr } });
-          return Boolean(existing);
+          const existing = await db.user.findUnique({
+            where: { email: emailAddr },
+            select: { id: true, emailVerified: true },
+          });
+          if (!existing) return false;
+
+          if (!existing.emailVerified) {
+            try {
+              await db.user.update({
+                where: { id: existing.id },
+                data: { emailVerified: new Date() },
+              });
+            } catch (updateError) {
+              logger.warn(
+                {
+                  event: "auth.oauth_email_verified_update_failed",
+                  provider,
+                  userId: existing.id,
+                  error: updateError,
+                },
+                "Failed to mark OAuth user as verified",
+              );
+            }
+          }
+
+          return true;
         } catch (error) {
           logger.warn(
             { event: "auth.oauth_validation_error", provider, error },

src/test/auth-signin-callback.test.ts

@@ -1,13 +1,18 @@
-import { describe, it, expect, vi } from "vitest";
+import { describe, it, expect, vi, beforeEach } from "vitest";
 import type { AdapterUser } from "next-auth/adapters";
 
 // Mock server-only barrier and db import so config can be imported in Vitest
 vi.mock("server-only", () => ({}));
-vi.mock("@/server/db", () => ({ db: { user: { findUnique: vi.fn() } } }));
+vi.mock("@/server/db", () => ({ db: { user: { findUnique: vi.fn(), update: vi.fn() } } }));
 
 const { db } = await import("@/server/db");
 const mockDb = vi.mocked(db, true);
 
+beforeEach(() => {
+  mockDb.user.findUnique.mockReset();
+  mockDb.user.update.mockReset();
+});
+
 describe("NextAuth signIn callback", () => {
   it("allows calls without account context", async () => {
     const { authConfig } = await import("@/server/auth/config");
@@ -39,4 +44,60 @@ describe("NextAuth signIn callback", () => {
     });
     expect(res).toBe(true);
   });
+
+  it("allows Google sign-in for existing user and marks email verified", async () => {
+    mockDb.user.findUnique.mockResolvedValue({ id: "u1", emailVerified: null });
+    mockDb.user.update.mockResolvedValue({ id: "u1" } as never);
+
+    const { authConfig } = await import("@/server/auth/config");
+    const signInCb = authConfig.callbacks?.signIn;
+    if (!signInCb) throw new Error("signIn callback missing");
+
+    const res = await signInCb({
+      account: { provider: "google" } as any,
+      user: { email: "User@Test.com" } as AdapterUser,
+    });
+
+    expect(res).toBe(true);
+    expect(mockDb.user.findUnique).toHaveBeenCalledWith({
+      where: { email: "user@test.com" },
+      select: { id: true, emailVerified: true },
+    });
+    expect(mockDb.user.update).toHaveBeenCalledTimes(1);
+    const updateArg = mockDb.user.update.mock.calls[0]?.[0];
+    expect(updateArg).toMatchObject({ where: { id: "u1" } });
+    expect(updateArg?.data?.emailVerified).toBeInstanceOf(Date);
+  });
+
+  it("skips verification update when Google user already verified", async () => {
+    mockDb.user.findUnique.mockResolvedValue({ id: "u2", emailVerified: new Date("2024-01-01T00:00:00.000Z") });
+
+    const { authConfig } = await import("@/server/auth/config");
+    const signInCb = authConfig.callbacks?.signIn;
+    if (!signInCb) throw new Error("signIn callback missing");
+
+    const res = await signInCb({
+      account: { provider: "google" } as any,
+      user: { email: "verified@test.com" } as AdapterUser,
+    });
+
+    expect(res).toBe(true);
+    expect(mockDb.user.update).not.toHaveBeenCalled();
+  });
+
+  it("denies Google sign-in when user does not exist", async () => {
+    mockDb.user.findUnique.mockResolvedValue(null);
+
+    const { authConfig } = await import("@/server/auth/config");
+    const signInCb = authConfig.callbacks?.signIn;
+    if (!signInCb) throw new Error("signIn callback missing");
+
+    const res = await signInCb({
+      account: { provider: "google" } as any,
+      user: { email: "missing@test.com" } as AdapterUser,
+    });
+
+    expect(res).toBe(false);
+    expect(mockDb.user.update).not.toHaveBeenCalled();
+  });
 });