implement account linking for new users

Author: XiNiHa

packages/services/api/src/modules/auth/lib/authz.ts

@@ -51,6 +51,7 @@ function parseResourceIdentifier(resource: string) {
 export type UserActor = {
   type: 'user';
   user: User;
+  oidcIntegrationId: string | null;
 };
 
 export type OrganizationAccessTokenActor = {

packages/services/api/src/modules/auth/lib/supertokens-strategy.ts

@@ -11,15 +11,24 @@ import { AuthNStrategy, AuthorizationPolicyStatement, Session, UserActor } from
 
 export class SuperTokensCookieBasedSession extends Session {
   public superTokensUserId: string;
+  public userId: string | undefined;
+  public oidcIntegrationId: string | null | undefined;
   private organizationMembers: OrganizationMembers;
   private storage: Storage;
 
   constructor(
-    args: { superTokensUserId: string; email: string },
+    args: {
+      superTokensUserId: string;
+      userId: string | undefined;
+      oidcIntegrationId: string | null | undefined;
+      email: string;
+    },
     deps: { organizationMembers: OrganizationMembers; storage: Storage; logger: Logger },
   ) {
     super({ logger: deps.logger });
     this.superTokensUserId = args.superTokensUserId;
+    this.userId = args.userId;
+    this.oidcIntegrationId = args.oidcIntegrationId;
     this.organizationMembers = deps.organizationMembers;
     this.storage = deps.storage;
   }
@@ -109,9 +118,9 @@ export class SuperTokensCookieBasedSession extends Session {
   }
 
   public async getActor(): Promise<UserActor> {
-    const user = await this.storage.getUserBySuperTokenId({
-      superTokensUserId: this.superTokensUserId,
-    });
+    const user = this.userId
+      ? await this.storage.getUserById({ id: this.userId })
+      : await this.storage.getUserBySuperTokenId({ superTokensUserId: this.superTokensUserId });
 
     if (!user) {
       throw new AccessError('User not found');
@@ -120,6 +129,7 @@ export class SuperTokensCookieBasedSession extends Session {
     return {
       type: 'user',
       user,
+      oidcIntegrationId: this.oidcIntegrationId ?? null,
     };
   }
 
@@ -227,6 +237,8 @@ export class SuperTokensUserAuthNStrategy extends AuthNStrategy<SuperTokensCooki
     return new SuperTokensCookieBasedSession(
       {
         superTokensUserId: session.superTokensUserId,
+        userId: session.userId,
+        oidcIntegrationId: session.oidcIntegrationId,
         email: session.email,
       },
       {
@@ -241,5 +253,7 @@ export class SuperTokensUserAuthNStrategy extends AuthNStrategy<SuperTokensCooki
 const SuperTokenAccessTokenModel = zod.object({
   version: zod.literal('1'),
   superTokensUserId: zod.string(),
+  userId: zod.string().optional(),
+  oidcIntegrationId: zod.string().nullable().optional(),
   email: zod.string(),
 });

packages/services/api/src/modules/shared/providers/storage.ts

@@ -79,7 +79,10 @@ export interface Storage {
     };
     firstName: string | null;
     lastName: string | null;
-  }): Promise<'created' | 'no_action'>;
+  }): Promise<{
+    user: User;
+    action: 'created' | 'no_action';
+  }>;
 
   getUserBySuperTokenId(_: { superTokensUserId: string }): Promise<User | null>;
   getUserById(_: { id: string }): Promise<User | null>;

packages/services/server/src/supertokens.ts

@@ -189,17 +189,27 @@ export const backendConfig = (requirements: {
                 );
               }
 
-              input.accessTokenPayload = {
+              let payload = {
                 version: '1',
                 superTokensUserId: input.userId,
                 email: user.emails[0],
+                userId: undefined as string | undefined,
+                oidcIntegrationId: undefined as string | null | undefined,
               };
+              try {
+                const internalUser = await internalApi.ensureUser({
+                  superTokensUserId: user.id,
+                  email: user.emails[0],
+                  oidcIntegrationId: input.userContext['oidcId'] ?? null,
+                  firstName: null,
+                  lastName: null,
+                });
+                payload.userId = internalUser.user.id;
+                payload.oidcIntegrationId = input.userContext['oidcId'] ?? null;
+              } catch {}
 
-              input.sessionDataInDatabase = {
-                version: '1',
-                superTokensUserId: input.userId,
-                email: user.emails[0],
-              };
+              input.accessTokenPayload = structuredClone(payload);
+              input.sessionDataInDatabase = structuredClone(payload);
 
               return originalImplementation.createNewSession(input);
             },

packages/services/storage/src/index.ts

@@ -609,8 +609,20 @@ export async function createStorage(
     }) {
       return tracedTransaction('ensureUserExists', pool, async t => {
         let action: 'created' | 'no_action' = 'no_action';
-        let internalUser = await shared.getUserBySuperTokenId({ superTokensUserId }, t);
-
+        const users = await pool.any<unknown>(sql`
+          SELECT
+            ${userFields(sql`"users".`, sql`"stu".`)},
+          FROM
+            "users"
+          LEFT JOIN "supertokens_thirdparty_users" AS "stu"
+            ON ("stu"."user_id" = "users"."supertoken_user_id")
+          WHERE
+            "users"."email" = ${email};
+        `);
+        let internalUser = users.length > 0 ? UserModel.parse(users[0]) : null;
+        if (!internalUser) {
+          internalUser = await shared.getUserBySuperTokenId({ superTokensUserId });
+        }
         if (!internalUser) {
           internalUser = await shared.createUser(
             buildUserData({
@@ -636,7 +648,10 @@ export async function createStorage(
           );
         }
 
-        return action;
+        return {
+          user: internalUser,
+          action,
+        };
       });
     },
     async getUserBySuperTokenId({ superTokensUserId }) {