Problem: If an invited users tries to sign in with google, our auth will not let them sign in and give a "OAuthAccountNotLinked" error. This happens when a user with the specified email is in the db, but their oauth access token (Google in this case) is not connected to their account.
Currently, when we invite a user, we add a new user document to the Users collection in our database with email and role fields. We use NextAuth's MongoDBAdapter, which automatically creates users in the Users collection and links their Oauth account (Google) by adding it to the Accounts collection on signup. However, since the partial user already exists in our db (bc we invited them) the MongoDBAdapter thinks there is an account link problem, but really the account just needs to be linked for the first time. Since account linking is not something that we want to do manually for security reasons, we must refactor how we invite users.
Solution:
Instead of inserting invited users into the Users collection, add them to a MongoDB collection called InvitedUsers. So when the NextAuth MongoDBAdapter implicitly looks inside the Users collection, it will not find the invited user and thus it will create a new user and link the Google account.
Refactors:
Add a new mongoose model called InvitedUsers that contains email, role, acceptedInvite, isActive properties
Have the User Management table pull from InvitedUsers and Users
pull all Users
pull all InvitedUsers with acceptedInvite: false
together this is all the active + inactive + invited users
Refactor api routes that modify users to also modify the InvitedUsers collection if necessary
for instance, if a user's role, isActive, acceptedInvite status gets updated that should be updated in both the Users and InvitedUsers collections
Update [...nextauth].js file to use the InvitedUsers collection to for checking if a user can signup, signin, etc
Ensure those signing in with Google have the same restrictions as credentials sign in
Sign in / Sign up Flow
Other Notes
Pointers, tips, and links to pieces of code or resources that might help in solving this ticket
Description
Problem: If an invited users tries to sign in with google, our auth will not let them sign in and give a "OAuthAccountNotLinked" error. This happens when a user with the specified email is in the db, but their oauth access token (Google in this case) is not connected to their account.
Currently, when we invite a user, we add a new user document to the Users collection in our database with
emailandrolefields. We use NextAuth's MongoDBAdapter, which automatically creates users in theUserscollection and links their Oauth account (Google) by adding it to theAccountscollection on signup. However, since the partial user already exists in our db (bc we invited them) the MongoDBAdapter thinks there is an account link problem, but really the account just needs to be linked for the first time. Since account linking is not something that we want to do manually for security reasons, we must refactor how we invite users.Solution: Instead of inserting invited users into the
Userscollection, add them to a MongoDB collection calledInvitedUsers. So when the NextAuth MongoDBAdapter implicitly looks inside theUserscollection, it will not find the invited user and thus it will create a new user and link the Google account.Refactors:
InvitedUsersthat containsemail, role, acceptedInvite, isActivepropertiesInvitedUsersandUsersUsersInvitedUserswithacceptedInvite: falserole, isActive, acceptedInvitestatus gets updated that should be updated in both theUsersandInvitedUserscollections[...nextauth].jsfile to use theInvitedUserscollection to for checking if a user can signup, signin, etcSign in / Sign up Flow
Other Notes