Skip to content

fix(auth): block OAuth linking for unverified accounts #26598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
emrysal merged 2 commits into from
Jan 9, 2026
Merged

fix(auth): block OAuth linking for unverified accounts #26598

emrysal merged 2 commits into from
Jan 9, 2026

Conversation

@pedroccastro
Copy link
Contributor

@pedroccastro pedroccastro commented Jan 8, 2026
edited
Loading

What does this PR do?

Hardens OAuth account linking by blocking unverified CAL accounts from linking to OAuth identity (Google/SAML). Users must verify their email before linking to OAuth, preventing account pre-hijacking attacks.

Changes

Layer File(s) Change
Auth auth/lib/next-auth-options.ts Block OAuth linking for unverified CAL accounts
Error auth/error/page.tsx Handle unverified-email error
i18n locales/en/common.json Add user-friendly error message

Behavior

  • Unverified CAL account + OAuth login → Blocked with error message
  • Verified CAL account + OAuth login → Normal linking flow
  • Invited users (no password/username) → Not affected (separate flow)
  • Existing SAML/Google users → Not affected

Recovery path for legitimate users

Users who created a CAL account but didn't verify can:

  1. Sign in with their password
  2. Resend verification email
  3. Verify email
  4. Then use OAuth login

How should this be tested?

  1. Enable email-verification feature flag
  2. Create CAL account with email X (do not verify)
  3. Try to login via Google OAuth with same email
  4. Verify error message appears with recovery instructions
  5. Login with password, verify email, then OAuth should work

Mandatory Tasks

  • I have self-reviewed the code
  • N/A I have updated the developer docs
  • I confirm automated tests are in place

@pedroccastro
fix(auth): sanitize unverified accounts during OAuth linking
5992bcb 
- Add AccountSanitizationService for secure account cleanup
- Clear webhooks, API keys, credentials, and sessions for unverified accounts
- Reset password and 2FA settings during OAuth conversion
- Nullify redirect URLs on event types

Only affects accounts that never completed email verification
@pedroccastro pedroccastro marked this pull request as ready for review January 8, 2026 19:46
@pedroccastro pedroccastro requested a review from a team as a code owner January 8, 2026 19:46
@graphite-app graphite-app bot added foundation core area: core, team members only labels Jan 8, 2026
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

@pedroccastro
fix(auth): block OAuth linking for unverified accounts
933f010 
  Replace sanitization with simpler blocking approach:
  - Unverified CAL accounts cannot link to OAuth (Google/SAML)
  - Add user-friendly error message with recovery path
  - Remove AccountSanitizationService (no data loss risk)
@pull-request-size pull-request-size bot added size/XS and removed size/L labels Jan 9, 2026
@vercel
Copy link

vercel bot commented Jan 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

4 Skipped Deployments
Project Deployment Review Updated (UTC)
api-v2 Ignored Ignored Preview Jan 9, 2026 0:20am
cal Ignored Ignored Jan 9, 2026 0:20am
cal-companion Ignored Ignored Preview Jan 9, 2026 0:20am
cal-eu Ignored Ignored Jan 9, 2026 0:20am

@pedroccastro pedroccastro changed the title fix(auth): sanitize unverified accounts during OAuth linking fix(auth): block OAuth linking for unverified accounts Jan 9, 2026
@keithwillcode keithwillcode enabled auto-merge (squash) January 9, 2026 10:40
@keithwillcode keithwillcode disabled auto-merge January 9, 2026 10:40
@emrysal emrysal merged commit 51639e3 into main Jan 9, 2026
73 of 75 checks passed
@emrysal emrysal deleted the fix/oauth-account-linking-hardening branch January 9, 2026 11:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@emrysal emrysal emrysal approved these changes

@keithwillcode keithwillcode keithwillcode approved these changes

Assignees

No one assigned

Labels

core area: core, team members only foundation ready-for-e2e size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pedroccastro @emrysal @keithwillcode