Fix OIDC login by using SystemActor in OidcEmailCollision validation
- Add SystemActor to Ash.read_one() calls in OidcEmailCollision validation - Prevents authorization failures during OIDC registration when no actor is logged in - Enables proper email collision detection and account linking flow
This commit is contained in:
parent
079d270768
commit
bad4e5ca7c
1 changed files with 8 additions and 4 deletions
|
|
@ -42,25 +42,29 @@ defmodule Mv.Accounts.User.Validations.OidcEmailCollision do
|
||||||
if email && oidc_id && user_info do
|
if email && oidc_id && user_info do
|
||||||
# Check if a user with this oidc_id already exists
|
# Check if a user with this oidc_id already exists
|
||||||
# If yes, this will be an upsert (email update), not a new registration
|
# If yes, this will be an upsert (email update), not a new registration
|
||||||
|
# Use SystemActor for authorization during OIDC registration (no logged-in actor)
|
||||||
|
system_actor = Mv.Helpers.SystemActor.get_system_actor()
|
||||||
|
|
||||||
existing_oidc_user =
|
existing_oidc_user =
|
||||||
case Mv.Accounts.User
|
case Mv.Accounts.User
|
||||||
|> Ash.Query.filter(oidc_id == ^to_string(oidc_id))
|
|> Ash.Query.filter(oidc_id == ^to_string(oidc_id))
|
||||||
|> Ash.read_one() do
|
|> Ash.read_one(actor: system_actor) do
|
||||||
{:ok, user} -> user
|
{:ok, user} -> user
|
||||||
_ -> nil
|
_ -> nil
|
||||||
end
|
end
|
||||||
|
|
||||||
check_email_collision(email, oidc_id, user_info, existing_oidc_user)
|
check_email_collision(email, oidc_id, user_info, existing_oidc_user, system_actor)
|
||||||
else
|
else
|
||||||
:ok
|
:ok
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp check_email_collision(email, new_oidc_id, user_info, existing_oidc_user) do
|
defp check_email_collision(email, new_oidc_id, user_info, existing_oidc_user, system_actor) do
|
||||||
# Find existing user with this email
|
# Find existing user with this email
|
||||||
|
# Use SystemActor for authorization during OIDC registration (no logged-in actor)
|
||||||
case Mv.Accounts.User
|
case Mv.Accounts.User
|
||||||
|> Ash.Query.filter(email == ^to_string(email))
|
|> Ash.Query.filter(email == ^to_string(email))
|
||||||
|> Ash.read_one() do
|
|> Ash.read_one(actor: system_actor) do
|
||||||
{:ok, nil} ->
|
{:ok, nil} ->
|
||||||
# No user exists with this email - OK to create new user
|
# No user exists with this email - OK to create new user
|
||||||
:ok
|
:ok
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue