fix(oauth2): Double check if OAuth2 account is actually already used …

…before throwing AccountAlreadyExists error
postalsys · Oct 16, 2024 · 3f967a9 · 3f967a9
1 parent 1affc1d
commit 3f967a9
Showing 1 changed file with 28 additions and 10 deletions.
diff --git a/lib/account.js b/lib/account.js
@@ -634,11 +634,20 @@ class Account {
                 // check if already exists
                 let existingAppBinding = await this.redis.hget(`${REDIS_PREFIX}oapp:h:${accountData.oauth2.provider}`, accountData.oauth2.auth?.user);
                 if (existingAppBinding && existingAppBinding !== this.account) {
-                    let message = 'Another account for the same OAuth2 user already exists';
-                    let error = Boom.boomify(new Error(message), { statusCode: 400 });
-                    error.output.payload.code = 'AccountAlreadyExists';
-                    error.output.payload.existingAccount = existingAppBinding;
-                    throw error;
+                    let existingAccount;
+                    try {
+                        existingAccount = await this.loadAccountData(existingAppBinding);
+                    } catch (err) {
+                        // account not found
+                    }
+
+                    if (existingAccount?.oauth2?.auth?.user === accountData.oauth2.auth?.user) {
+                        let message = 'Another account for the same OAuth2 user already exists';
+                        let error = Boom.boomify(new Error(message), { statusCode: 400 });
+                        error.output.payload.code = 'AccountAlreadyExists';
+                        error.output.payload.existingAccount = existingAppBinding;
+                        throw error;
+                    }
                 }
                 pipeline = pipeline.hset(`${REDIS_PREFIX}oapp:h:${addProvider}`, accountData.oauth2?.auth?.user, this.account);
             }
@@ -768,11 +777,20 @@ class Account {
                 // check if already exists
                 let existingAppBinding = await this.redis.hget(`${REDIS_PREFIX}oapp:h:${accountData.oauth2.provider}`, accountData.oauth2.auth?.user);
                 if (existingAppBinding && existingAppBinding !== this.account) {
-                    let message = 'Another account for the same OAuth2 user already exists';
-                    let error = Boom.boomify(new Error(message), { statusCode: 400 });
-                    error.output.payload.code = 'AccountAlreadyExists';
-                    error.output.payload.existingAccount = existingAppBinding;
-                    throw error;
+                    let existingAccount;
+                    try {
+                        existingAccount = await this.loadAccountData(existingAppBinding);
+                    } catch (err) {
+                        // account not found
+                    }
+
+                    if (existingAccount?.oauth2?.auth?.user === accountData.oauth2.auth?.user) {
+                        let message = 'Another account for the same OAuth2 user already exists';
+                        let error = Boom.boomify(new Error(message), { statusCode: 400 });
+                        error.output.payload.code = 'AccountAlreadyExists';
+                        error.output.payload.existingAccount = existingAppBinding;
+                        throw error;
+                    }
                 }
                 pipeline = pipeline.hset(`${REDIS_PREFIX}oapp:h:${accountData.oauth2.provider}`, accountData.oauth2.auth?.user, this.account);
             }