Skip to content

Add opt-in for dangerous linking #5513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 23, 2022
Merged

Add opt-in for dangerous linking #5513

merged 4 commits into from
Oct 23, 2022

Conversation

@jcdogo
Copy link
Contributor

@jcdogo jcdogo commented Oct 7, 2022
edited by ThangHuuVu
Loading

This is an updated pull request of #3557 since it was closed due to inactivity. We also have the same use case as the original author (@Gregoor).

@ThangHuuVu I've updated the pull request against the latest main branch so that it compiles, and I have also addressed the requested changes from the original pull request:

  1. The allowDangerousEmailAccountLinking option was moved to OAuthConfig since it only applies to oauth providers.
  2. Added documentation for the new option in docs/configuration/providers/oauth.md

☕️ Reasoning

By default account linking can only be done through an active session, to prevent account stealing from low-trust providers. Some next-auth users might trust their chosen providers enough to opt them into more lax account linking.

🧢 Checklist

  • Documentation
  • Tests
  • Ready to be merged

🎫 Affected issues

#3557
#5098
#5324
#4826
#4625
#4271

@vercel
Copy link

vercel bot commented Oct 7, 2022
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Updated
next-auth ⬜️ Ignored (Inspect) Oct 20, 2022 at 5:43PM (UTC)

@github-actions github-actions bot added core Refers to `@auth/core` providers labels Oct 7, 2022
@vercel vercel bot temporarily deployed to Preview October 7, 2022 02:01 Inactive
@balazsorban44
Copy link
Member

balazsorban44 commented Oct 9, 2022

The original PR does not seem to be closed, but due to inactivity, it might be in the future. I closed it and pointed to this PR, hopefully, the author will understand.

@balazsorban44 balazsorban44 mentioned this pull request Oct 9, 2022
Closed
3 tasks
@jcdogo jcdogo force-pushed the feature/opt-in-dangerous-account-linking branch from 3bf7bc6 to 885e01a Compare October 11, 2022 23:57
@vercel vercel bot temporarily deployed to Preview October 11, 2022 23:59 Inactive
@dogomedia-github
Copy link
Contributor

dogomedia-github commented Oct 12, 2022
edited
Loading

We have rebased the PR so that there is no longer a conflict with main branch. Hopefully we can get this one approved since account linking seems to have come up fairly frequently.

ThangHuuVu
ThangHuuVu requested changes Oct 20, 2022
View reviewed changes
Copy link
Member

@ThangHuuVu ThangHuuVu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for sending the PR 🙌 Could you run the linter on the PR again? Let's get this merged soon

ThangHuuVu
ThangHuuVu reviewed Oct 20, 2022
View reviewed changes
@jcdogo jcdogo force-pushed the feature/opt-in-dangerous-account-linking branch from 885e01a to 5e56e15 Compare October 20, 2022 17:29
@vercel vercel bot temporarily deployed to Preview October 20, 2022 17:32 Inactive
@jcdogo
Copy link
Contributor Author

jcdogo commented Oct 20, 2022
edited
Loading

Thanks for sending the PR 🙌 Could you run the linter on the PR again? Let's get this merged soon

I'm are running into some difficulties running the linter! Not sure how to fix it as this is our first time working with mono repo. We're getting this error when running the linter.

error  Parsing error: File '@next-auth/tsconfig/tsconfig.base.json' not found

Any ideas how to resolve this? (I suspect we just haven't set up something correctly)

EDIT: Never mind. Instead of trying to build this locally, we just looked at the Github Actions pull request output and noticed that it was calling the lint command anyways. After rebasing the code onto main branch again, we noticed that there was a linting error that was breaking the build (not due to our changes though). So in order to complete the linting, we added a fix for the linting error. There should no longer be any outstanding issues with lint.

@jcdogo jcdogo requested review from ThangHuuVu and removed request for 0ubbe and ndom91 October 20, 2022 21:36
ThangHuuVu
ThangHuuVu approved these changes Oct 23, 2022
View reviewed changes
Copy link
Member

@ThangHuuVu ThangHuuVu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ThangHuuVu ThangHuuVu merged commit ba89907 into nextauthjs:main Oct 23, 2022
@Andrew-Chen-Wang Andrew-Chen-Wang mentioned this pull request Jan 31, 2025
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ThangHuuVu ThangHuuVu ThangHuuVu approved these changes

Assignees

No one assigned

Labels

core Refers to `@auth/core` providers

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jcdogo @balazsorban44 @dogomedia-github @ThangHuuVu