From fe07a4e955c95078ca4f2ea33355cdecd711c889 Mon Sep 17 00:00:00 2001
From: Moritz <moritz.m@local-it.org>
Date: Fri, 23 Jan 2026 02:12:53 +0100
Subject: [PATCH] Fix OIDC login by using SystemActor in OidcEmailCollision
 validation

- Add SystemActor to Ash.read_one() calls in OidcEmailCollision validation
- Prevents authorization failures during OIDC registration when no actor is logged in
- Enables proper email collision detection and account linking flow
---
 .../user/validations/oidc_email_collision.ex         | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/accounts/user/validations/oidc_email_collision.ex b/lib/accounts/user/validations/oidc_email_collision.ex
index 041647a..08a8911 100644
--- a/lib/accounts/user/validations/oidc_email_collision.ex
+++ b/lib/accounts/user/validations/oidc_email_collision.ex
@@ -42,25 +42,29 @@ defmodule Mv.Accounts.User.Validations.OidcEmailCollision do
     if email && oidc_id && user_info do
       # Check if a user with this oidc_id already exists
       # If yes, this will be an upsert (email update), not a new registration
+      # Use SystemActor for authorization during OIDC registration (no logged-in actor)
+      system_actor = Mv.Helpers.SystemActor.get_system_actor()
+
       existing_oidc_user =
         case Mv.Accounts.User
              |> Ash.Query.filter(oidc_id == ^to_string(oidc_id))
-             |> Ash.read_one() do
+             |> Ash.read_one(actor: system_actor) do
           {:ok, user} -> user
           _ -> nil
         end
 
-      check_email_collision(email, oidc_id, user_info, existing_oidc_user)
+      check_email_collision(email, oidc_id, user_info, existing_oidc_user, system_actor)
     else
       :ok
     end
   end
 
-  defp check_email_collision(email, new_oidc_id, user_info, existing_oidc_user) do
+  defp check_email_collision(email, new_oidc_id, user_info, existing_oidc_user, system_actor) do
     # Find existing user with this email
+    # Use SystemActor for authorization during OIDC registration (no logged-in actor)
     case Mv.Accounts.User
          |> Ash.Query.filter(email == ^to_string(email))
-         |> Ash.read_one() do
+         |> Ash.read_one(actor: system_actor) do
       {:ok, nil} ->
         # No user exists with this email - OK to create new user
         :ok