Update docs to account for unconfirmed users

Ensure oauth users cannot login with unconfirmed account team-alembic#443
dan-klasson · Aug 19, 2024 · 05531c8 · 05531c8
1 parent 5d4f20b
commit 05531c8
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/documentation/tutorials/github.md b/documentation/tutorials/github.md
@@ -116,8 +116,12 @@ defmodule MyApp.Accounts.User do
     create :register_with_github do
       argument :user_info, :map, allow_nil?: false
       argument :oauth_tokens, :map, allow_nil?: false
+      # Add oauth2 if an account with this email address already exists
       upsert? true
-      upsert_identity :email
+      upsert_identity :unique_email
+      # Fields you want to set if a matching user exists, *don't* include `confirmed_at`
+      upsert_fields []
+      change set_attribute(:confirmed_at, &DateTime.utc_now/0)
 
       # Required if you have token generation enabled.
       change AshAuthentication.GenerateTokenChange
@@ -130,6 +134,14 @@ defmodule MyApp.Accounts.User do
 
         Ash.Changeset.change_attributes(changeset, Map.take(user_info, ["email"]))
       end
+
+      # Ensure non-confirmed users can't sign up with oauth
+      change after_action(fn _changeset, user, _context ->
+        case user.confirmed_at do
+          nil -> {:error, "Unconfirmed user exists already"}
+          _ -> {:ok, user}
+        end
+      end)
     end
   end
 

diff --git a/documentation/tutorials/google.md b/documentation/tutorials/google.md
@@ -7,6 +7,7 @@ First you'll need a registered application in [Google Cloud](https://console.clo
 1. On the Cloud's console **Quick access** section select **APIs & Services**, then **Credentials**
 2. Click on **+ CREATE CREDENTIALS** and from the dropdown select **OAuth client ID**
 3. From the google developers console, we will need: `client_id` & `client_secret`
+4. Enter your callback uri under **Authorized redirect URIs**. E.g. `http://localhost:4000/auth/user/google/callback`.
 
 Next we configure our resource to use google credentials:
 
@@ -46,19 +47,31 @@ defmodule MyApp.Accounts.User do
     create :register_with_google do
       argument :user_info, :map, allow_nil?: false
       argument :oauth_tokens, :map, allow_nil?: false
+      # Add oauth2 if an account with this email address already exists
       upsert? true
-      upsert_identity :email
+      upsert_identity :unique_email
+      # Fields you want to set if a matching user exists, *don't* include `confirmed_at`
+      upsert_fields []
+      change set_attribute(:confirmed_at, &DateTime.utc_now/0)
 
       change AshAuthentication.GenerateTokenChange
 
       # Required if you have the `identity_resource` configuration enabled.
       change AshAuthentication.Strategy.OAuth2.IdentityChange
 
-      change fn changeset, _ ->
+      change fn changeset, _context ->
         user_info = Ash.Changeset.get_argument(changeset, :user_info)
 
         Ash.Changeset.change_attributes(changeset, Map.take(user_info, ["email"]))
       end
+
+      # Ensure non-confirmed users can't sign up with oauth
+      change after_action(fn _changeset, user, _context ->
+        case user.confirmed_at do
+          nil -> {:error, "Unconfirmed user exists already"}
+          _ -> {:ok, user}
+        end
+      end)
     end
   end