Problem: If an invited users tries to sign in with google, our auth will not let them sign in and give a "OAuthAccountNotLinked" error. This happens when a user with the specified email is in the db, but their oauth access token (Google in this case) is not connected to their account.
Currently, when we invite a user, we add a new user document to the Users collection in our database with email and role fields. We use NextAuth's MongoDBAdapter, which automatically creates users in the Users collection and links their Oauth account (Google) by adding it to the Accounts collection on signup. However, since the partial user already exists in our db (bc we invited them) the MongoDBAdapter thinks there is an account link problem, but really the account just needs to be linked for the first time. Since account linking is not something that we want to do manually for security reasons, we must refactor how we invite users.
Solution:
Instead of inserting invited users into the Users collection, add them to a MongoDB collection called InvitedUsers. So when the NextAuth MongoDBAdapter implicitly looks inside the Users collection, it will not find the invited user and thus it will create a new user and link the Google account.
Refactors:
Add a new mongoose model called InvitedUsers that contains email, role, acceptedInvite, isActive properties
Have the User Management table pull from InvitedUsers and Users
pull all Users
pull all InvitedUsers with acceptedInvite: false
together this is all the active + inactive + invited users
Refactor api routes that modify users to also modify the InvitedUsers collection if necessary
for instance, if a user's role, isActive, acceptedInvite status gets updated that should be updated in both the Users and InvitedUsers collections
Update [...nextauth].js file to use the InvitedUsers collection to for checking if a user can signup, signin, etc
Ensure those signing in with Google have the same restrictions as credentials sign in
Sign in / Sign up Flow
Other Notes
Pointers, tips, and links to pieces of code or resources that might help in solving this ticket
Description
Problem: If an invited users tries to sign in with google, our auth will not let them sign in and give a "OAuthAccountNotLinked" error. This happens when a user with the specified email is in the db, but their oauth access token (Google in this case) is not connected to their account.
Currently, when we invite a user, we add a new user document to the Users collection in our database with
email
androle
fields. We use NextAuth's MongoDBAdapter, which automatically creates users in theUsers
collection and links their Oauth account (Google) by adding it to theAccounts
collection on signup. However, since the partial user already exists in our db (bc we invited them) the MongoDBAdapter thinks there is an account link problem, but really the account just needs to be linked for the first time. Since account linking is not something that we want to do manually for security reasons, we must refactor how we invite users.Solution: Instead of inserting invited users into the
Users
collection, add them to a MongoDB collection calledInvitedUsers
. So when the NextAuth MongoDBAdapter implicitly looks inside theUsers
collection, it will not find the invited user and thus it will create a new user and link the Google account.Refactors:
InvitedUsers
that containsemail, role, acceptedInvite, isActive
propertiesInvitedUsers
andUsers
Users
InvitedUsers
withacceptedInvite: false
role, isActive, acceptedInvite
status gets updated that should be updated in both theUsers
andInvitedUsers
collections[...nextauth].js
file to use theInvitedUsers
collection to for checking if a user can signup, signin, etcSign in / Sign up Flow
Other Notes