local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 51 Pull requests 13 Projects 1 Releases Packages 1 Activity Actions

OIDC handling and linking closes #171 #192

Merged
moritz merged 9 commits from feature/oidc_handling into main 2025-11-13 16:36:04 +01:00
Conversation 1 Commits 9 Files changed 21 +3209 -141
21 changed files with 3209 additions and 141 deletions
Download patch file Download diff file Expand all files Collapse all files

207
docs/oidc-account-linking.md Normal file
View file

@ -0,0 +1,207 @@
# OIDC Account Linking Implementation
## Overview
This feature implements secure account linking between password-based accounts and OIDC authentication. When a user attempts to log in via OIDC with an email that already exists as a password-only account, the system requires password verification before linking the accounts.
## Architecture
### Key Components
#### 1. Security Fix: `lib/accounts/user.ex`
**Change**: The `sign_in_with_rauthy` action now filters by `oidc_id` instead of `email`.
```elixir
read :sign_in_with_rauthy do
argument :user_info, :map, allow_nil?: false
argument :oauth_tokens, :map, allow_nil?: false
prepare AshAuthentication.Strategy.OAuth2.SignInPreparation
# SECURITY: Filter by oidc_id, NOT by email!
filter expr(oidc_id == get_path(^arg(:user_info), [:sub]))
end
```
**Why**: Prevents OIDC users from bypassing password authentication and taking over existing accounts.
#### 2. Custom Error: `lib/accounts/user/errors/password_verification_required.ex`
Custom error raised when OIDC login conflicts with existing password account.
**Fields**:
- `user_id`: ID of the existing user
- `oidc_user_info`: OIDC user information for account linking
#### 3. Validation: `lib/accounts/user/validations/oidc_email_collision.ex`
Validates email uniqueness during OIDC registration.
**Scenarios**:
1. **User exists with matching `oidc_id`**: Allow (upsert)
2. **User exists without `oidc_id`** (password-protected OR passwordless): Raise `PasswordVerificationRequired`
- The `LinkOidcAccountLive` will auto-link passwordless users without password prompt
- Password-protected users must verify their password
3. **User exists with different `oidc_id`**: Hard error (cannot link multiple OIDC providers)
4. **No user exists**: Allow (new user creation)
#### 4. Account Linking Action: `lib/accounts/user.ex`
```elixir
update :link_oidc_id do
description "Links an OIDC ID to an existing user after password verification"
accept []
argument :oidc_id, :string, allow_nil?: false
argument :oidc_user_info, :map, allow_nil?: false
# ... implementation
end
```
**Features**:
- Links `oidc_id` to existing user
- Updates email if it differs from OIDC provider
- Syncs email changes to linked member
#### 5. Controller: `lib/mv_web/controllers/auth_controller.ex`
Refactored for better complexity and maintainability.
**Key improvements**:
- Reduced cyclomatic complexity from 11 to below 9
- Better separation of concerns with helper functions
- Comprehensive documentation
**Flow**:
1. Detects `PasswordVerificationRequired` error
2. Stores OIDC info in session
3. Redirects to account linking page
#### 6. LiveView: `lib/mv_web/live/auth/link_oidc_account_live.ex`
Interactive UI for password verification and account linking.
**Flow**:
1. Retrieves OIDC info from session
2. **Auto-links passwordless users** immediately (no password prompt)
3. Displays password verification form for password-protected users
4. Verifies password using AshAuthentication
5. Links OIDC account on success
6. Redirects to complete OIDC login
7. **Logs all security-relevant events** (successful/failed linking attempts)
### Locale Persistence
**Problem**: Locale was lost on logout (session cleared).
**Solution**: Store locale in persistent cookie (1 year TTL) with security flags.
**Changes**:
- `lib/mv_web/locale_controller.ex`: Sets locale cookie with `http_only` and `secure` flags
- `lib/mv_web/router.ex`: Reads locale from cookie if session empty
**Security Features**:
- `http_only: true` - Cookie not accessible via JavaScript (XSS protection)
- `secure: true` - Cookie only transmitted over HTTPS in production
- `same_site: "Lax"` - CSRF protection
## Security Considerations
### 1. OIDC ID Matching
- **Before**: Matched by email (vulnerable to account takeover)
- **After**: Matched by `oidc_id` (secure)
### 2. Account Linking Flow
- Password verification required before linking (for password-protected users)
- Passwordless users are auto-linked immediately (secure, as they have no password)
- OIDC info stored in session (not in URL/query params)
- CSRF protection on all forms
- All linking attempts logged for audit trail
### 3. Email Updates
- Email updates from OIDC provider are applied during linking
- Email changes sync to linked member (if exists)
### 4. Error Handling
- Internal errors are logged but not exposed to users (prevents information disclosure)
- User-friendly error messages shown in UI
- Security-relevant events logged with appropriate levels:
- `Logger.info` for successful operations
- `Logger.warning` for failed authentication attempts
- `Logger.error` for system errors
## Usage Examples
### Scenario 1: New OIDC User
```elixir
# User signs in with OIDC for the first time
# → New user created with oidc_id
```
### Scenario 2: Existing OIDC User
```elixir
# User with oidc_id signs in via OIDC
# → Matched by oidc_id, email updated if changed
```
### Scenario 3: Password User + OIDC Login
```elixir
# User with password account tries OIDC login
# → PasswordVerificationRequired raised
# → Redirected to /auth/link-oidc-account
# → User enters password
# → Password verified and logged
# → oidc_id linked to account
# → Successful linking logged
# → Redirected to complete OIDC login
```
### Scenario 4: Passwordless User + OIDC Login
```elixir
# User without password (invited user) tries OIDC login
# → PasswordVerificationRequired raised
# → Redirected to /auth/link-oidc-account
# → System detects passwordless user
# → oidc_id automatically linked (no password prompt)
# → Auto-linking logged
# → Redirected to complete OIDC login
```
## API
### Custom Actions
#### `link_oidc_id`
Links an OIDC ID to existing user after password verification.
**Arguments**:
- `oidc_id` (required): OIDC sub/id from provider
- `oidc_user_info` (required): Full OIDC user info map
**Returns**: Updated user with linked `oidc_id`
**Side Effects**:
- Updates email if different from OIDC provider
- Syncs email to linked member (if exists)
## References
- [AshAuthentication Documentation](https://hexdocs.pm/ash_authentication)
- [OIDC Specification](https://openid.net/specs/openid-connect-core-1_0.html)
- [Security Best Practices for Account Linking](https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html)

48
lib/accounts/user.ex
View file

@ -171,6 +171,41 @@ defmodule Mv.Accounts.User do
change AshAuthentication.Strategy.Password.HashPasswordChange
end
# Action to link an OIDC account to an existing password-only user
# This is called after the user has verified their password
update :link_oidc_id do
description "Links an OIDC ID to an existing user after password verification"
accept []
argument :oidc_id, :string, allow_nil?: false
argument :oidc_user_info, :map, allow_nil?: false
require_atomic? false
change fn changeset, _ctx ->
oidc_id = Ash.Changeset.get_argument(changeset, :oidc_id)
oidc_user_info = Ash.Changeset.get_argument(changeset, :oidc_user_info)
# Get the new email from OIDC user_info
new_email = Map.get(oidc_user_info, "preferred_username")
changeset
|> Ash.Changeset.change_attribute(:oidc_id, oidc_id)
# Update email if it differs from OIDC provider
# change_attribute/3 already checks if value matches existing value
|> then(fn cs ->
if new_email do
Ash.Changeset.change_attribute(cs, :email, new_email)
else
cs
end
end)
end
# Sync email changes to member if email was updated
change Mv.EmailSync.Changes.SyncUserEmailToMember do
where [changing(:email)]
end
end
read :get_by_subject do
description "Get a user by the subject claim in a JWT"
argument :subject, :string, allow_nil?: false
@ -183,13 +218,18 @@ defmodule Mv.Accounts.User do
argument :oauth_tokens, :map, allow_nil?: false
prepare AshAuthentication.Strategy.OAuth2.SignInPreparation
filter expr(email == get_path(^arg(:user_info), [:preferred_username]))
# SECURITY: Filter by oidc_id, NOT by email!
# This ensures that OIDC sign-in only works for users who have already
# linked their account via OIDC. Password-only users (oidc_id = nil)
# cannot be accessed via OIDC login without password verification.
filter expr(oidc_id == get_path(^arg(:user_info), [:sub]))
end
create :register_with_rauthy do
argument :user_info, :map, allow_nil?: false
argument :oauth_tokens, :map, allow_nil?: false
upsert? true
# Upsert based on oidc_id (primary match for existing OIDC users)
upsert_identity :unique_oidc_id
validate &__MODULE__.validate_oidc_id_present/2
@ -204,6 +244,12 @@ defmodule Mv.Accounts.User do
|> Ash.Changeset.change_attribute(:oidc_id, user_info["sub"] || user_info["id"])
end
# Check for email collisions with existing accounts
# This validation must run AFTER email and oidc_id are set above
# - Raises PasswordVerificationRequired for password-protected OR passwordless users
# - The LinkOidcAccountLive will auto-link passwordless users without password prompt
validate Mv.Accounts.User.Validations.OidcEmailCollision
# Sync user email to member when linking (User → Member)
change Mv.EmailSync.Changes.SyncUserEmailToMember
end

33
lib/accounts/user/errors/password_verification_required.ex Normal file
View file

@ -0,0 +1,33 @@
defmodule Mv.Accounts.User.Errors.PasswordVerificationRequired do
@moduledoc """
Custom error raised when an OIDC login attempts to use an email that already exists
in the system with a password-only account (no oidc_id set).
This error indicates that the user must verify their password before the OIDC account
can be linked to the existing password account.
"""
use Splode.Error,
fields: [:user_id, :oidc_user_info],
class: :invalid
@type t :: %__MODULE__{
user_id: String.t(),
oidc_user_info: map()
}
@doc """
Returns a human-readable error message.
## Parameters
- error: The error struct containing user_id and oidc_user_info
"""
def message(%{user_id: user_id, oidc_user_info: user_info}) do
email = Map.get(user_info, "preferred_username", "unknown")
oidc_id = Map.get(user_info, "sub") || Map.get(user_info, "id", "unknown")
"""
Password verification required: An account with email '#{email}' already exists (user_id: #{user_id}).
To link your OIDC account (oidc_id: #{oidc_id}) to this existing account, please verify your password.
"""
end
end

172
lib/accounts/user/validations/oidc_email_collision.ex Normal file
View file

@ -0,0 +1,172 @@
defmodule Mv.Accounts.User.Validations.OidcEmailCollision do
@moduledoc """
Validation that checks for email collisions during OIDC registration.
This validation prevents unauthorized account takeovers and enforces proper
account linking flows based on user state.
## Scenarios:
1. **User exists with matching oidc_id**:
- Allow (upsert will update the existing user)
2. **User exists with different oidc_id**:
- Hard error: Cannot link multiple OIDC providers to same account
- No linking possible - user must use original OIDC provider
3. **User exists without oidc_id** (password-protected OR passwordless):
- Raise PasswordVerificationRequired error
- User is redirected to LinkOidcAccountLive which will:
- Show password form if user has password
- Auto-link immediately if user is passwordless
4. **No user exists with this email**:
- Allow (new user will be created)
"""
use Ash.Resource.Validation
require Logger
alias Mv.Accounts.User.Errors.PasswordVerificationRequired
@impl true
def init(opts), do: {:ok, opts}
@impl true
def validate(changeset, _opts, _context) do
# Get the email and oidc_id from the changeset
email = Ash.Changeset.get_attribute(changeset, :email)
oidc_id = Ash.Changeset.get_attribute(changeset, :oidc_id)
user_info = Ash.Changeset.get_argument(changeset, :user_info)
# Only validate if we have both email and oidc_id (from OIDC registration)
if email && oidc_id && user_info do
# Check if a user with this oidc_id already exists
# If yes, this will be an upsert (email update), not a new registration
existing_oidc_user =
case Mv.Accounts.User
|> Ash.Query.filter(oidc_id == ^to_string(oidc_id))
|> Ash.read_one() do
{:ok, user} -> user
_ -> nil
end
check_email_collision(email, oidc_id, user_info, existing_oidc_user)
else
:ok
end
end
defp check_email_collision(email, new_oidc_id, user_info, existing_oidc_user) do
# Find existing user with this email
case Mv.Accounts.User
|> Ash.Query.filter(email == ^to_string(email))
|> Ash.read_one() do
{:ok, nil} ->
# No user exists with this email - OK to create new user
:ok
{:ok, user_with_email} ->
# User exists with this email - check if it's an upsert or registration
is_upsert = not is_nil(existing_oidc_user)
if is_upsert do
handle_upsert_scenario(user_with_email, user_info, existing_oidc_user)
else
handle_create_scenario(user_with_email, new_oidc_id, user_info)
end
{:error, error} ->
# Database error - log for debugging but don't expose internals to user
Logger.error("Email uniqueness check failed during OIDC registration: #{inspect(error)}")
{:error, field: :email, message: "Could not verify email uniqueness. Please try again."}
end
end
# Handle email update for existing OIDC user
defp handle_upsert_scenario(user_with_email, user_info, existing_oidc_user) do
cond do
# Same user updating their own record
not is_nil(existing_oidc_user) and user_with_email.id == existing_oidc_user.id ->
:ok
# Different user exists with target email
not is_nil(existing_oidc_user) and user_with_email.id != existing_oidc_user.id ->
handle_email_conflict(user_with_email, user_info)
# Should not reach here
true ->
{:error, field: :email, message: "Unexpected error during email update"}
end
end
# Handle email conflict during upsert
defp handle_email_conflict(user_with_email, user_info) do
email = Map.get(user_info, "preferred_username", "unknown")
email_user_oidc_id = user_with_email.oidc_id
# Check if target email belongs to another OIDC user
if not is_nil(email_user_oidc_id) and email_user_oidc_id != "" do
different_oidc_error(email)
else
email_taken_error(email)
end
end
# Handle new OIDC user registration scenarios
defp handle_create_scenario(user_with_email, new_oidc_id, user_info) do
email_user_oidc_id = user_with_email.oidc_id
cond do
# Same oidc_id (should not happen in practice, but allow for safety)
email_user_oidc_id == new_oidc_id ->
:ok
# Different oidc_id exists (hard error)
not is_nil(email_user_oidc_id) and email_user_oidc_id != "" and
email_user_oidc_id != new_oidc_id ->
email = Map.get(user_info, "preferred_username", "unknown")
different_oidc_error(email)
# No oidc_id (require account linking)
is_nil(email_user_oidc_id) or email_user_oidc_id == "" ->
{:error,
PasswordVerificationRequired.exception(
user_id: user_with_email.id,
oidc_user_info: user_info
)}
# Should not reach here
true ->
{:error, field: :email, message: "Unexpected error during OIDC registration"}
end
end
# Generate error for different OIDC account conflict
defp different_oidc_error(email) do
{:error,
field: :email,
message:
"Email '#{email}' is already linked to a different OIDC account. " <>
"Cannot link multiple OIDC providers to the same account."}
end
# Generate error for email already taken
defp email_taken_error(email) do
{:error,
field: :email,
message:
"Cannot update email to '#{email}': This email is already registered to another account. " <>
"Please change your email in the identity provider."}
end
@impl true
def atomic?(), do: false
@impl true
def describe(_opts) do
[
message: "OIDC email collision detected",
vars: []
]
end
end

162
lib/mv_web/controllers/auth_controller.ex
View file

@ -1,9 +1,21 @@
require Logger
defmodule MvWeb.AuthController do
@moduledoc """
Handles authentication callbacks for password and OIDC authentication.
This controller manages:
- Successful authentication (password, OIDC, password reset, email confirmation)
- Authentication failures with appropriate error handling
- OIDC account linking flow when email collision occurs
- Sign out functionality
"""
use MvWeb, :controller
use AshAuthentication.Phoenix.Controller
alias Mv.Accounts.User.Errors.PasswordVerificationRequired
def success(conn, activity, user, _token) do
return_to = get_session(conn, :return_to) || ~p"/"
@ -23,26 +35,144 @@ defmodule MvWeb.AuthController do
|> redirect(to: return_to)
end
def failure(conn, activity, reason) do
Logger.error(%{conn: conn, reason: reason})
@doc """
Handles authentication failures and routes to appropriate error handling.
message =
case {activity, reason} do
{_,
%AshAuthentication.Errors.AuthenticationFailed{
caused_by: %Ash.Error.Forbidden{
errors: [%AshAuthentication.Errors.CannotConfirmUnconfirmedUser{}]
}
}} ->
gettext("""
You have already signed in another way, but have not confirmed your account.
You can confirm your account using the link we sent to you, or by resetting your password.
""")
Manages:
- OIDC email collisions (triggers password verification flow)
- Generic OIDC authentication failures
- Unconfirmed account errors
- Generic authentication failures
"""
def failure(conn, activity, reason) do
Logger.warning(
"Authentication failure - Activity: #{inspect(activity)}, Reason: #{inspect(reason)}"
)
case {activity, reason} do
{{:rauthy, _action}, reason} ->
handle_rauthy_failure(conn, reason)
{_, %AshAuthentication.Errors.AuthenticationFailed{caused_by: caused_by}} ->
handle_authentication_failed(conn, caused_by)
_ ->
redirect_with_error(conn, gettext("Incorrect email or password"))
end
end
# Handle all Rauthy (OIDC) authentication failures
defp handle_rauthy_failure(conn, %Ash.Error.Invalid{errors: errors}) do
handle_oidc_email_collision(conn, errors)
end
defp handle_rauthy_failure(conn, %AshAuthentication.Errors.AuthenticationFailed{
caused_by: caused_by
}) do
case caused_by do
%Ash.Error.Invalid{errors: errors} ->
handle_oidc_email_collision(conn, errors)
_ ->
redirect_with_error(conn, gettext("Unable to authenticate with OIDC. Please try again."))
end
end
# Handle generic AuthenticationFailed errors
defp handle_authentication_failed(conn, %Ash.Error.Forbidden{errors: errors}) do
if Enum.any?(errors, &match?(%AshAuthentication.Errors.CannotConfirmUnconfirmedUser{}, &1)) do
message =
gettext("""
You have already signed in another way, but have not confirmed your account.
You can confirm your account using the link we sent to you, or by resetting your password.
""")
redirect_with_error(conn, message)
else
redirect_with_error(conn, gettext("Authentication failed. Please try again."))
end
end
defp handle_authentication_failed(conn, _other) do
redirect_with_error(conn, gettext("Authentication failed. Please try again."))
end
# Handle OIDC email collision - user needs to verify password to link accounts
defp handle_oidc_email_collision(conn, errors) do
case find_password_verification_error(errors) do
%PasswordVerificationRequired{user_id: user_id, oidc_user_info: oidc_user_info} ->
redirect_to_account_linking(conn, user_id, oidc_user_info)
nil ->
# Check if it's a "different OIDC account" error or email uniqueness error
error_message = extract_meaningful_error_message(errors)
redirect_with_error(conn, error_message)
end
end
# Extract meaningful error message from Ash errors
defp extract_meaningful_error_message(errors) do
# Look for specific error messages in InvalidAttribute errors
meaningful_error =
Enum.find_value(errors, fn
%Ash.Error.Changes.InvalidAttribute{message: message, field: :email}
when is_binary(message) ->
cond do
# Email update conflict during OIDC login
String.contains?(message, "Cannot update email to") and
String.contains?(message, "already registered to another account") ->
gettext(
"Cannot update email: This email is already registered to another account. Please change your email in the identity provider."
)
# Different OIDC account error
String.contains?(message, "already linked to a different OIDC account") ->
gettext(
"This email is already linked to a different OIDC account. Cannot link multiple OIDC providers to the same account."
)
true ->
nil
end
%Ash.Error.Changes.InvalidAttribute{message: message}
when is_binary(message) ->
# Return any other meaningful message
if String.length(message) > 20 and
not String.contains?(message, "has already been taken") do
message
else
nil
end
_ ->
gettext("Incorrect email or password")
end
nil
end)
meaningful_error || gettext("Unable to sign in. Please try again.")
end
# Find PasswordVerificationRequired error in error list
defp find_password_verification_error(errors) do
Enum.find(errors, &match?(%PasswordVerificationRequired{}, &1))
end
# Redirect to account linking page with OIDC info stored in session
defp redirect_to_account_linking(conn, user_id, oidc_user_info) do
conn
|> put_session(:oidc_linking_user_id, user_id)
|> put_session(:oidc_linking_user_info, oidc_user_info)
|> put_flash(
:info,
gettext(
"An account with this email already exists. Please verify your password to link your OIDC account."
)
)
|> redirect(to: ~p"/auth/link-oidc-account")
end
# Generic error redirect helper
defp redirect_with_error(conn, message) do
conn
|> put_flash(:error, message)
|> redirect(to: ~p"/sign-in")

296
lib/mv_web/live/auth/link_oidc_account_live.ex Normal file
View file

@ -0,0 +1,296 @@
defmodule MvWeb.LinkOidcAccountLive do
@moduledoc """
LiveView for linking an OIDC account to an existing password account.
This page is shown when a user tries to log in via OIDC using an email
that already exists with a password-only account. The user must verify
their password before the OIDC account can be linked.
## Flow
1. User attempts OIDC login with email that has existing password account
2. System raises `PasswordVerificationRequired` error
3. AuthController redirects here with user_id and oidc_user_info in session
4. User enters password to verify identity
5. On success, oidc_id is linked to user account
6. User is redirected to complete OIDC login
"""
use MvWeb, :live_view
require Ash.Query
require Logger
@impl true
def mount(_params, session, socket) do
with user_id when not is_nil(user_id) <- Map.get(session, "oidc_linking_user_id"),
oidc_user_info when not is_nil(oidc_user_info) <-
Map.get(session, "oidc_linking_user_info"),
{:ok, user} <- Ash.get(Mv.Accounts.User, user_id) do
# Check if user is passwordless
if passwordless?(user) do
# Auto-link passwordless user immediately
{:ok, auto_link_passwordless_user(socket, user, oidc_user_info)}
else
# Show password form for password-protected user
{:ok, initialize_socket(socket, user, oidc_user_info)}
end
else
nil ->
{:ok, redirect_with_error(socket, dgettext("auth", "Invalid session. Please try again."))}
{:error, _} ->
{:ok, redirect_with_error(socket, dgettext("auth", "Session expired. Please try again."))}
end
end
defp passwordless?(user) do
is_nil(user.hashed_password)
end
defp reload_user!(user_id) do
Mv.Accounts.User
|> Ash.Query.filter(id == ^user_id)
|> Ash.read_one!()
end
defp reset_password_form(socket) do
assign(socket, :form, to_form(%{"password" => ""}))
end
defp auto_link_passwordless_user(socket, user, oidc_user_info) do
oidc_id = Map.get(oidc_user_info, "sub") || Map.get(oidc_user_info, "id")
case user.id
|> reload_user!()
|> Ash.Changeset.for_update(:link_oidc_id, %{
oidc_id: oidc_id,
oidc_user_info: oidc_user_info
})
|> Ash.update() do
{:ok, updated_user} ->
Logger.info(
"Passwordless account auto-linked to OIDC: user_id=#{updated_user.id}, oidc_id=#{oidc_id}"
)
socket
|> put_flash(
:info,
dgettext("auth", "Account activated! Redirecting to complete sign-in...")
)
|> Phoenix.LiveView.redirect(to: ~p"/auth/user/rauthy")
{:error, error} ->
Logger.warning(
"Failed to auto-link passwordless account: user_id=#{user.id}, error=#{inspect(error)}"
)
error_message = extract_user_friendly_error(error)
socket
|> put_flash(:error, error_message)
|> redirect(to: ~p"/sign-in")
end
end
defp extract_user_friendly_error(%Ash.Error.Invalid{errors: errors}) do
# Check for specific error types
Enum.find_value(errors, fn
%Ash.Error.Changes.InvalidAttribute{field: :oidc_id, message: message} ->
if String.contains?(message, "already been taken") do
dgettext(
"auth",
"This OIDC account is already linked to another user. Please contact support."
)
else
nil
end
%Ash.Error.Changes.InvalidAttribute{field: :email, message: message} ->
if String.contains?(message, "already been taken") do
dgettext(
"auth",
"The email address from your OIDC provider is already registered to another account. Please change your email in the identity provider or contact support."
)
else
nil
end
_ ->
nil
end) ||
dgettext("auth", "Failed to link account. Please try again or contact support.")
end
defp extract_user_friendly_error(_error) do
dgettext("auth", "Failed to link account. Please try again or contact support.")
end
defp initialize_socket(socket, user, oidc_user_info) do
socket
|> assign(:user, user)
|> assign(:oidc_user_info, oidc_user_info)
|> assign(:password, "")
|> assign(:error, nil)
|> reset_password_form()
end
defp redirect_with_error(socket, message) do
socket
|> put_flash(:error, message)
|> redirect(to: ~p"/sign-in")
end
@impl true
def handle_event("validate", %{"password" => password}, socket) do
{:noreply, assign(socket, :password, password)}
end
@impl true
def handle_event("submit", %{"password" => password}, socket) do
user = socket.assigns.user
oidc_user_info = socket.assigns.oidc_user_info
# Verify the password using AshAuthentication
case verify_password(user.email, password) do
{:ok, verified_user} ->
# Password correct - link the OIDC account
link_oidc_account(socket, verified_user, oidc_user_info)
{:error, _reason} ->
# Password incorrect - log security event
Logger.warning("Failed password verification for OIDC linking: user_email=#{user.email}")
{:noreply,
socket
|> assign(:error, dgettext("auth", "Incorrect password. Please try again."))
|> reset_password_form()}
end
end
defp verify_password(email, password) do
# Use AshAuthentication password strategy to verify
strategies = AshAuthentication.Info.authentication_strategies(Mv.Accounts.User)
password_strategy = Enum.find(strategies, fn s -> s.name == :password end)
if password_strategy do
AshAuthentication.Strategy.Password.Actions.sign_in(
password_strategy,
%{
"email" => email,
"password" => password
},
[]
)
else
{:error, "Password authentication not configured"}
end
end
defp link_oidc_account(socket, user, oidc_user_info) do
oidc_id = Map.get(oidc_user_info, "sub") || Map.get(oidc_user_info, "id")
# Update the user with the OIDC ID
case user.id
|> reload_user!()
|> Ash.Changeset.for_update(:link_oidc_id, %{
oidc_id: oidc_id,
oidc_user_info: oidc_user_info
})
|> Ash.update() do
{:ok, updated_user} ->
# After successful linking, redirect to OIDC login
# Since the user now has an oidc_id, the next OIDC login will succeed
Logger.info(
"OIDC account successfully linked after password verification: user_id=#{updated_user.id}, oidc_id=#{oidc_id}"
)
{:noreply,
socket
|> put_flash(
:info,
dgettext(
"auth",
"Your OIDC account has been successfully linked! Redirecting to complete sign-in..."
)
)
|> Phoenix.LiveView.redirect(to: ~p"/auth/user/rauthy")}
{:error, error} ->
Logger.warning(
"Failed to link OIDC account after password verification: user_id=#{user.id}, error=#{inspect(error)}"
)
error_message = extract_user_friendly_error(error)
{:noreply,
socket
|> assign(:error, error_message)
|> reset_password_form()}
end
end
@impl true
def render(assigns) do
~H"""
<div class="mx-auto max-w-sm mt-16">
<%!-- Language Selector --%>
<nav aria-label={dgettext("auth", "Language selection")} class="flex justify-center mb-4">
<form method="post" action="/set_locale" class="text-sm">
<input type="hidden" name="_csrf_token" value={Plug.CSRFProtection.get_csrf_token()} />
<select
name="locale"
onchange="this.form.submit()"
class="select select-sm select-bordered"
aria-label={dgettext("auth", "Select language")}
>
<option value="de" selected={Gettext.get_locale() == "de"}>🇩🇪 Deutsch</option>
<option value="en" selected={Gettext.get_locale() == "en"}>🇬🇧 English</option>
</select>
</form>
</nav>
<main>
<.header class="text-center">
{dgettext("auth", "Link OIDC Account")}
<:subtitle>
{dgettext(
"auth",
"An account with email %{email} already exists. Please enter your password to link your OIDC account.",
email: @user.email
)}
</:subtitle>
</.header>
<.form for={@form} id="link-oidc-form" phx-submit="submit" phx-change="validate" class="mt-8">
<div class="space-y-6">
<div>
<.input
field={@form[:password]}
type="password"
label={dgettext("auth", "Password")}
required
/>
</div>
<%= if @error do %>
<div class="rounded-md bg-red-50 p-4">
<p class="text-sm text-red-800">{@error}</p>
</div>
<% end %>
<div>
<.button phx-disable-with={dgettext("auth", "Linking...")} class="w-full">
{dgettext("auth", "Link Account")}
</.button>
</div>
</div>
</.form>
<div class="mt-4 text-center text-sm">
<.link navigate={~p"/sign-in"} class="text-brand hover:underline">
{dgettext("auth", "Cancel")}
</.link>
</div>
</main>
</div>
"""
end
end

7
lib/mv_web/locale_controller.ex
View file

@ -4,6 +4,13 @@ defmodule MvWeb.LocaleController do
def set_locale(conn, %{"locale" => locale}) do
conn
|> put_session(:locale, locale)
# Store locale in a cookie that persists beyond the session
|> put_resp_cookie("locale", locale,
max_age: 365 * 24 * 60 * 60,
same_site: "Lax",
http_only: true,
secure: Application.get_env(:mv, :use_secure_cookies, false)
)
|> redirect(to: get_referer(conn) || "/")
end

11
lib/mv_web/router.ex
View file

@ -76,6 +76,9 @@ defmodule MvWeb.Router do
post "/set_locale", LocaleController, :set_locale
end
# OIDC account linking - user needs to verify password (MUST be before auth_routes!)
live "/auth/link-oidc-account", LinkOidcAccountLive
# ASHAUTHENTICATION GENERATED AUTH ROUTES
auth_routes AuthController, Mv.Accounts.User, path: "/auth"
sign_out_route AuthController
@ -141,6 +144,7 @@ defmodule MvWeb.Router do
defp set_locale(conn, _opts) do
locale =
get_session(conn, :locale) ||
get_locale_from_cookie(conn) ||
extract_locale_from_headers(conn.req_headers)
Gettext.put_locale(MvWeb.Gettext, locale)
@ -150,6 +154,13 @@ defmodule MvWeb.Router do
|> assign(:locale, locale)
end
defp get_locale_from_cookie(conn) do
case conn.req_cookies do
%{"locale" => locale} when locale in ["en", "de"] -> locale
_ -> nil
end
end
# Get locale from user
defp extract_locale_from_headers(headers) do
headers

2
mix.exs
View file

@ -22,7 +22,7 @@ defmodule Mv.MixProject do
def application do
[
mod: {Mv.Application, []},
extra_applications: [:logger, :runtime_tools]
extra_applications: [:logger, :runtime_tools, :gettext]
]
end

78
priv/gettext/auth.pot
View file

@ -36,6 +36,8 @@ msgstr ""
msgid "Need an account?"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:268
#, elixir-autogen
msgid "Password"
msgstr ""
@ -62,3 +64,79 @@ msgstr ""
msgid "Your password has successfully been reset"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:254
#, elixir-autogen, elixir-format
msgid "An account with email %{email} already exists. Please enter your password to link your OIDC account."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:289
#, elixir-autogen, elixir-format
msgid "Cancel"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:163
#, elixir-autogen, elixir-format
msgid "Incorrect password. Please try again."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:37
#, elixir-autogen, elixir-format
msgid "Invalid session. Please try again."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:281
#, elixir-autogen, elixir-format
msgid "Link Account"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:252
#, elixir-autogen, elixir-format
msgid "Link OIDC Account"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:280
#, elixir-autogen, elixir-format
msgid "Linking..."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:40
#, elixir-autogen, elixir-format
msgid "Session expired. Please try again."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:209
#, elixir-autogen, elixir-format
msgid "Your OIDC account has been successfully linked! Redirecting to complete sign-in..."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:76
#, elixir-autogen, elixir-format
msgid "Account activated! Redirecting to complete sign-in..."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:119
#: lib/mv_web/live/auth/link_oidc_account_live.ex:123
#, elixir-autogen, elixir-format
msgid "Failed to link account. Please try again or contact support."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:108
#, elixir-autogen, elixir-format
msgid "The email address from your OIDC provider is already registered to another account. Please change your email in the identity provider or contact support."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:98
#, elixir-autogen, elixir-format
msgid "This OIDC account is already linked to another user. Please contact support."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:235
#, elixir-autogen, elixir-format
msgid "Language selection"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:242
#, elixir-autogen, elixir-format
msgid "Select language"
msgstr ""

79
priv/gettext/de/LC_MESSAGES/auth.po
View file

@ -35,6 +35,8 @@ msgstr "Falls diese*r Benutzer*in bekannt ist, wird jetzt eine Email mit einer A
msgid "Need an account?"
msgstr "Konto anlegen?"
#: lib/mv_web/live/auth/link_oidc_account_live.ex:268
#, elixir-autogen
msgid "Password"
msgstr "Passwort"
@ -62,5 +64,78 @@ msgstr "Anmelden..."
msgid "Your password has successfully been reset"
msgstr "Das Passwort wurde erfolgreich zurückgesetzt"
#~ msgid "Sign in with Rauthy"
#~ msgstr "Anmelden mit der Vereinscloud"
#: lib/mv_web/live/auth/link_oidc_account_live.ex:254
#, elixir-autogen, elixir-format
msgid "An account with email %{email} already exists. Please enter your password to link your OIDC account."
msgstr "Ein Konto mit der E-Mail %{email} existiert bereits. Bitte geben Sie Ihr Passwort ein, um Ihr OIDC-Konto zu verknüpfen."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:289
#, elixir-autogen, elixir-format
msgid "Cancel"
msgstr "Abbrechen"
#: lib/mv_web/live/auth/link_oidc_account_live.ex:163
#, elixir-autogen, elixir-format
msgid "Incorrect password. Please try again."
msgstr "Falsches Passwort. Bitte versuchen Sie es erneut."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:37
#, elixir-autogen, elixir-format
msgid "Invalid session. Please try again."
msgstr "Ungültige Sitzung. Bitte versuchen Sie es erneut."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:281
#, elixir-autogen, elixir-format
msgid "Link Account"
msgstr "Konto verknüpfen"
#: lib/mv_web/live/auth/link_oidc_account_live.ex:252
#, elixir-autogen, elixir-format
msgid "Link OIDC Account"
msgstr "OIDC-Konto verknüpfen"
#: lib/mv_web/live/auth/link_oidc_account_live.ex:280
#, elixir-autogen, elixir-format
msgid "Linking..."
msgstr "Verknüpfen..."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:40
#, elixir-autogen, elixir-format
msgid "Session expired. Please try again."
msgstr "Sitzung abgelaufen. Bitte versuchen Sie es erneut."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:209
#, elixir-autogen, elixir-format
msgid "Your OIDC account has been successfully linked! Redirecting to complete sign-in..."
msgstr "Ihr OIDC-Konto wurde erfolgreich verknüpft! Sie werden zur Anmeldung weitergeleitet..."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:76
#, elixir-autogen, elixir-format
msgid "Account activated! Redirecting to complete sign-in..."
msgstr "Konto aktiviert! Sie werden zur Anmeldung weitergeleitet..."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:119
#: lib/mv_web/live/auth/link_oidc_account_live.ex:123
#, elixir-autogen, elixir-format
msgid "Failed to link account. Please try again or contact support."
msgstr "Verknüpfung des Kontos fehlgeschlagen. Bitte versuchen Sie es erneut oder kontaktieren Sie den Support."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:108
#, elixir-autogen, elixir-format
msgid "The email address from your OIDC provider is already registered to another account. Please change your email in the identity provider or contact support."
msgstr "Die E-Mail-Adresse aus Ihrem OIDC-Provider ist bereits für ein anderes Konto registriert. Bitte ändern Sie Ihre E-Mail-Adresse im Identity-Provider oder kontaktieren Sie den Support."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:98
#, elixir-autogen, elixir-format
msgid "This OIDC account is already linked to another user. Please contact support."
msgstr "Dieses OIDC-Konto ist bereits mit einem anderen Benutzer verknüpft. Bitte kontaktieren Sie den Support."
#: lib/mv_web/live/auth/link_oidc_account_live.ex:235
#, elixir-autogen, elixir-format
msgid "Language selection"
msgstr "Sprachauswahl"
#: lib/mv_web/live/auth/link_oidc_account_live.ex:242
#, elixir-autogen, elixir-format
msgid "Select language"
msgstr "Sprache auswählen"

119
priv/gettext/de/LC_MESSAGES/default.po
View file

@ -15,7 +15,7 @@ msgstr ""
msgid "Actions"
msgstr "Aktionen"
#: lib/mv_web/live/member_live/index.html.heex:193
#: lib/mv_web/live/member_live/index.html.heex:200
#: lib/mv_web/live/user_live/index.html.heex:65
#, elixir-autogen, elixir-format
msgid "Are you sure?"
@ -28,19 +28,19 @@ msgid "Attempting to reconnect"
msgstr "Verbindung wird wiederhergestellt"
#: lib/mv_web/live/member_live/form.ex:25
#: lib/mv_web/live/member_live/index.html.heex:138
#: lib/mv_web/live/member_live/show.ex:36
#: lib/mv_web/live/member_live/index.html.heex:145
#: lib/mv_web/live/member_live/show.ex:37
#, elixir-autogen, elixir-format
msgid "City"
msgstr "Stadt"
#: lib/mv_web/live/member_live/index.html.heex:195
#: lib/mv_web/live/member_live/index.html.heex:202
#: lib/mv_web/live/user_live/index.html.heex:67
#, elixir-autogen, elixir-format
msgid "Delete"
msgstr "Löschen"
#: lib/mv_web/live/member_live/index.html.heex:187
#: lib/mv_web/live/member_live/index.html.heex:194
#: lib/mv_web/live/user_live/form.ex:109
#: lib/mv_web/live/user_live/index.html.heex:59
#, elixir-autogen, elixir-format
@ -54,8 +54,8 @@ msgid "Edit Member"
msgstr "Mitglied bearbeiten"
#: lib/mv_web/live/member_live/form.ex:18
#: lib/mv_web/live/member_live/index.html.heex:70
#: lib/mv_web/live/member_live/show.ex:27
#: lib/mv_web/live/member_live/index.html.heex:77
#: lib/mv_web/live/member_live/show.ex:28
#: lib/mv_web/live/user_live/form.ex:14
#: lib/mv_web/live/user_live/index.html.heex:44
#: lib/mv_web/live/user_live/show.ex:25
@ -70,8 +70,8 @@ msgid "First Name"
msgstr "Vorname"
#: lib/mv_web/live/member_live/form.ex:22
#: lib/mv_web/live/member_live/index.html.heex:172
#: lib/mv_web/live/member_live/show.ex:33
#: lib/mv_web/live/member_live/index.html.heex:179
#: lib/mv_web/live/member_live/show.ex:34
#, elixir-autogen, elixir-format
msgid "Join Date"
msgstr "Beitrittsdatum"
@ -87,7 +87,7 @@ msgstr "Nachname"
msgid "New Member"
msgstr "Neues Mitglied"
#: lib/mv_web/live/member_live/index.html.heex:184
#: lib/mv_web/live/member_live/index.html.heex:191
#: lib/mv_web/live/user_live/index.html.heex:56
#, elixir-autogen, elixir-format
msgid "Show"
@ -127,8 +127,8 @@ msgid "Exit Date"
msgstr "Austrittsdatum"
#: lib/mv_web/live/member_live/form.ex:27
#: lib/mv_web/live/member_live/index.html.heex:104
#: lib/mv_web/live/member_live/show.ex:38
#: lib/mv_web/live/member_live/index.html.heex:111
#: lib/mv_web/live/member_live/show.ex:39
#, elixir-autogen, elixir-format
msgid "House Number"
msgstr "Hausnummer"
@ -146,15 +146,15 @@ msgid "Paid"
msgstr "Bezahlt"
#: lib/mv_web/live/member_live/form.ex:21
#: lib/mv_web/live/member_live/index.html.heex:155
#: lib/mv_web/live/member_live/show.ex:32
#: lib/mv_web/live/member_live/index.html.heex:162
#: lib/mv_web/live/member_live/show.ex:33
#, elixir-autogen, elixir-format
msgid "Phone Number"
msgstr "Telefonnummer"
#: lib/mv_web/live/member_live/form.ex:28
#: lib/mv_web/live/member_live/index.html.heex:121
#: lib/mv_web/live/member_live/show.ex:39
#: lib/mv_web/live/member_live/index.html.heex:128
#: lib/mv_web/live/member_live/show.ex:40
#, elixir-autogen, elixir-format
msgid "Postal Code"
msgstr "Postleitzahl"
@ -173,8 +173,8 @@ msgid "Saving..."
msgstr "Speichern..."
#: lib/mv_web/live/member_live/form.ex:26
#: lib/mv_web/live/member_live/index.html.heex:87
#: lib/mv_web/live/member_live/show.ex:37
#: lib/mv_web/live/member_live/index.html.heex:94
#: lib/mv_web/live/member_live/show.ex:38
#, elixir-autogen, elixir-format
msgid "Street"
msgstr "Straße"
@ -223,7 +223,7 @@ msgstr "erstellt"
msgid "update"
msgstr "aktualisiert"
#: lib/mv_web/controllers/auth_controller.ex:43
#: lib/mv_web/controllers/auth_controller.ex:60
#, elixir-autogen, elixir-format
msgid "Incorrect email or password"
msgstr "Falsche E-Mail oder Passwort"
@ -233,27 +233,27 @@ msgstr "Falsche E-Mail oder Passwort"
msgid "Member %{action} successfully"
msgstr "Mitglied %{action} erfolgreich"
#: lib/mv_web/controllers/auth_controller.ex:14
#: lib/mv_web/controllers/auth_controller.ex:26
#, elixir-autogen, elixir-format
msgid "You are now signed in"
msgstr "Sie sind jetzt angemeldet"
#: lib/mv_web/controllers/auth_controller.ex:56
#: lib/mv_web/controllers/auth_controller.ex:186
#, elixir-autogen, elixir-format
msgid "You are now signed out"
msgstr "Sie sind jetzt abgemeldet"
#: lib/mv_web/controllers/auth_controller.ex:37
#: lib/mv_web/controllers/auth_controller.ex:85
#, elixir-autogen, elixir-format
msgid "You have already signed in another way, but have not confirmed your account.\nYou can confirm your account using the link we sent to you, or by resetting your password.\n"
msgstr "Sie haben sich bereits auf andere Weise angemeldet, aber Ihr Konto noch nicht bestätigt.\nSie können Ihr Konto über den Link bestätigen, den wir Ihnen gesendet haben, oder durch Zurücksetzen Ihres Passworts.\n"
#: lib/mv_web/controllers/auth_controller.ex:12
#: lib/mv_web/controllers/auth_controller.ex:24
#, elixir-autogen, elixir-format
msgid "Your email address has now been confirmed"
msgstr "Ihre E-Mail-Adresse wurde bestätigt"
#: lib/mv_web/controllers/auth_controller.ex:13
#: lib/mv_web/controllers/auth_controller.ex:25
#, elixir-autogen, elixir-format
msgid "Your password has successfully been reset"
msgstr "Ihr Passwort wurde erfolgreich zurückgesetzt"
@ -301,7 +301,7 @@ msgstr "ID"
msgid "Immutable"
msgstr "Unveränderlich"
#: lib/mv_web/components/layouts/navbar.ex:94
#: lib/mv_web/components/layouts/navbar.ex:93
#, elixir-autogen, elixir-format
msgid "Logout"
msgstr "Abmelden"
@ -317,8 +317,8 @@ msgstr "Benutzer*innen auflisten"
msgid "Member"
msgstr "Mitglied"
#: lib/mv_web/components/layouts/navbar.ex:14
#: lib/mv_web/live/member_live/index.ex:8
#: lib/mv_web/components/layouts/navbar.ex:19
#: lib/mv_web/live/member_live/index.ex:10
#: lib/mv_web/live/member_live/index.html.heex:3
#, elixir-autogen, elixir-format
msgid "Members"
@ -366,7 +366,7 @@ msgstr "Passwort-Authentifizierung"
msgid "Please select a property type first"
msgstr "Bitte wählen Sie zuerst einen Eigenschaftstyp"
#: lib/mv_web/components/layouts/navbar.ex:89
#: lib/mv_web/components/layouts/navbar.ex:88
#, elixir-autogen, elixir-format
msgid "Profil"
msgstr "Profil"
@ -411,7 +411,7 @@ msgstr "Alle Mitglieder auswählen"
msgid "Select member"
msgstr "Mitglied auswählen"
#: lib/mv_web/components/layouts/navbar.ex:92
#: lib/mv_web/components/layouts/navbar.ex:91
#, elixir-autogen, elixir-format
msgid "Settings"
msgstr "Einstellungen"
@ -468,13 +468,13 @@ msgid "Value type"
msgstr "Wertetyp"
#: lib/mv_web/components/table_components.ex:30
#: lib/mv_web/live/components/sort_header_component.ex:55
#: lib/mv_web/live/components/sort_header_component.ex:57
#, elixir-autogen, elixir-format
msgid "ascending"
msgstr "aufsteigend"
#: lib/mv_web/components/table_components.ex:30
#: lib/mv_web/live/components/sort_header_component.ex:56
#: lib/mv_web/live/components/sort_header_component.ex:58
#, elixir-autogen, elixir-format
msgid "descending"
msgstr "absteigend"
@ -586,14 +586,14 @@ msgstr "Zurück zur Mitgliederliste"
msgid "Back to users list"
msgstr "Zurück zur Benutzer*innen-Liste"
#: lib/mv_web/components/layouts/navbar.ex:27
#: lib/mv_web/components/layouts/navbar.ex:33
#: lib/mv_web/components/layouts/navbar.ex:26
#: lib/mv_web/components/layouts/navbar.ex:32
#, elixir-autogen, elixir-format
msgid "Select language"
msgstr "Sprache auswählen"
#: lib/mv_web/components/layouts/navbar.ex:40
#: lib/mv_web/components/layouts/navbar.ex:60
#: lib/mv_web/components/layouts/navbar.ex:39
#: lib/mv_web/components/layouts/navbar.ex:59
#, elixir-autogen, elixir-format
msgid "Toggle dark mode"
msgstr "Dunklen Modus umschalten"
@ -601,15 +601,52 @@ msgstr "Dunklen Modus umschalten"
#: lib/mv_web/live/components/search_bar_component.ex:15
#: lib/mv_web/live/member_live/index.html.heex:15
#, elixir-autogen, elixir-format
msgid "Search..."
msgstr "Suchen..."
#: lib/mv_web/components/layouts/navbar.ex:20
#, elixir-autogen, elixir-format
msgid "Users"
msgstr "Benutzer*innen"
#: lib/mv_web/live/components/sort_header_component.ex:59
#: lib/mv_web/live/components/sort_header_component.ex:63
#, elixir-autogen, elixir-format
msgid "Click to sort"
msgstr "Klicke um zu sortieren"
#: lib/mv_web/live/member_live/index.html.heex:53
#, elixir-autogen, elixir-format, fuzzy
#: lib/mv_web/live/member_live/index.html.heex:60
#, elixir-autogen, elixir-format
msgid "First name"
msgstr "Vorname"
#~ #: lib/mv_web/auth_overrides.ex:30
#~ #, elixir-autogen, elixir-format
#~ msgid "or"
#~ msgstr "oder"
#: lib/mv_web/controllers/auth_controller.ex:167
#, elixir-autogen, elixir-format
msgid "An account with this email already exists. Please verify your password to link your OIDC account."
msgstr "Ein Konto mit dieser E-Mail existiert bereits. Bitte verifizieren Sie Ihr Passwort, um Ihr OIDC-Konto zu verknüpfen."
#: lib/mv_web/controllers/auth_controller.ex:77
#, elixir-autogen, elixir-format
msgid "Unable to authenticate with OIDC. Please try again."
msgstr "OIDC-Authentifizierung fehlgeschlagen. Bitte versuchen Sie es erneut."
#: lib/mv_web/controllers/auth_controller.ex:152
#, elixir-autogen, elixir-format
msgid "Unable to sign in. Please try again."
msgstr "Anmeldung fehlgeschlagen. Bitte versuchen Sie es erneut."
#: lib/mv_web/controllers/auth_controller.ex:92
#: lib/mv_web/controllers/auth_controller.ex:97
#, elixir-autogen, elixir-format
msgid "Authentication failed. Please try again."
msgstr "Authentifizierung fehlgeschlagen. Bitte versuchen Sie es erneut."
#: lib/mv_web/controllers/auth_controller.ex:124
#, elixir-autogen, elixir-format
msgid "Cannot update email: This email is already registered to another account. Please change your email in the identity provider."
msgstr "E-Mail kann nicht aktualisiert werden: Diese E-Mail-Adresse ist bereits für ein anderes Konto registriert. Bitte ändern Sie Ihre E-Mail-Adresse im Identity-Provider."
#: lib/mv_web/controllers/auth_controller.ex:130
#, elixir-autogen, elixir-format
msgid "This email is already linked to a different OIDC account. Cannot link multiple OIDC providers to the same account."
msgstr "Diese E-Mail-Adresse ist bereits mit einem anderen OIDC-Konto verknüpft. Es können nicht mehrere OIDC-Provider mit demselben Konto verknüpft werden."

108
priv/gettext/default.pot
View file

@ -16,7 +16,7 @@ msgstr ""
msgid "Actions"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:193
#: lib/mv_web/live/member_live/index.html.heex:200
#: lib/mv_web/live/user_live/index.html.heex:65
#, elixir-autogen, elixir-format
msgid "Are you sure?"
@ -29,19 +29,19 @@ msgid "Attempting to reconnect"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:25
#: lib/mv_web/live/member_live/index.html.heex:138
#: lib/mv_web/live/member_live/show.ex:36
#: lib/mv_web/live/member_live/index.html.heex:145
#: lib/mv_web/live/member_live/show.ex:37
#, elixir-autogen, elixir-format
msgid "City"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:195
#: lib/mv_web/live/member_live/index.html.heex:202
#: lib/mv_web/live/user_live/index.html.heex:67
#, elixir-autogen, elixir-format
msgid "Delete"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:187
#: lib/mv_web/live/member_live/index.html.heex:194
#: lib/mv_web/live/user_live/form.ex:109
#: lib/mv_web/live/user_live/index.html.heex:59
#, elixir-autogen, elixir-format
@ -55,8 +55,8 @@ msgid "Edit Member"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:18
#: lib/mv_web/live/member_live/index.html.heex:70
#: lib/mv_web/live/member_live/show.ex:27
#: lib/mv_web/live/member_live/index.html.heex:77
#: lib/mv_web/live/member_live/show.ex:28
#: lib/mv_web/live/user_live/form.ex:14
#: lib/mv_web/live/user_live/index.html.heex:44
#: lib/mv_web/live/user_live/show.ex:25
@ -71,8 +71,8 @@ msgid "First Name"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:22
#: lib/mv_web/live/member_live/index.html.heex:172
#: lib/mv_web/live/member_live/show.ex:33
#: lib/mv_web/live/member_live/index.html.heex:179
#: lib/mv_web/live/member_live/show.ex:34
#, elixir-autogen, elixir-format
msgid "Join Date"
msgstr ""
@ -88,7 +88,7 @@ msgstr ""
msgid "New Member"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:184
#: lib/mv_web/live/member_live/index.html.heex:191
#: lib/mv_web/live/user_live/index.html.heex:56
#, elixir-autogen, elixir-format
msgid "Show"
@ -128,8 +128,8 @@ msgid "Exit Date"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:27
#: lib/mv_web/live/member_live/index.html.heex:104
#: lib/mv_web/live/member_live/show.ex:38
#: lib/mv_web/live/member_live/index.html.heex:111
#: lib/mv_web/live/member_live/show.ex:39
#, elixir-autogen, elixir-format
msgid "House Number"
msgstr ""
@ -147,15 +147,15 @@ msgid "Paid"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:21
#: lib/mv_web/live/member_live/index.html.heex:155
#: lib/mv_web/live/member_live/show.ex:32
#: lib/mv_web/live/member_live/index.html.heex:162
#: lib/mv_web/live/member_live/show.ex:33
#, elixir-autogen, elixir-format
msgid "Phone Number"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:28
#: lib/mv_web/live/member_live/index.html.heex:121
#: lib/mv_web/live/member_live/show.ex:39
#: lib/mv_web/live/member_live/index.html.heex:128
#: lib/mv_web/live/member_live/show.ex:40
#, elixir-autogen, elixir-format
msgid "Postal Code"
msgstr ""
@ -174,8 +174,8 @@ msgid "Saving..."
msgstr ""
#: lib/mv_web/live/member_live/form.ex:26
#: lib/mv_web/live/member_live/index.html.heex:87
#: lib/mv_web/live/member_live/show.ex:37
#: lib/mv_web/live/member_live/index.html.heex:94
#: lib/mv_web/live/member_live/show.ex:38
#, elixir-autogen, elixir-format
msgid "Street"
msgstr ""
@ -224,7 +224,7 @@ msgstr ""
msgid "update"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:43
#: lib/mv_web/controllers/auth_controller.ex:60
#, elixir-autogen, elixir-format
msgid "Incorrect email or password"
msgstr ""
@ -234,27 +234,27 @@ msgstr ""
msgid "Member %{action} successfully"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:14
#: lib/mv_web/controllers/auth_controller.ex:26
#, elixir-autogen, elixir-format
msgid "You are now signed in"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:56
#: lib/mv_web/controllers/auth_controller.ex:186
#, elixir-autogen, elixir-format
msgid "You are now signed out"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:37
#: lib/mv_web/controllers/auth_controller.ex:85
#, elixir-autogen, elixir-format
msgid "You have already signed in another way, but have not confirmed your account.\nYou can confirm your account using the link we sent to you, or by resetting your password.\n"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:12
#: lib/mv_web/controllers/auth_controller.ex:24
#, elixir-autogen, elixir-format
msgid "Your email address has now been confirmed"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:13
#: lib/mv_web/controllers/auth_controller.ex:25
#, elixir-autogen, elixir-format
msgid "Your password has successfully been reset"
msgstr ""
@ -302,7 +302,7 @@ msgstr ""
msgid "Immutable"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:94
#: lib/mv_web/components/layouts/navbar.ex:93
#, elixir-autogen, elixir-format
msgid "Logout"
msgstr ""
@ -318,8 +318,8 @@ msgstr ""
msgid "Member"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:14
#: lib/mv_web/live/member_live/index.ex:8
#: lib/mv_web/components/layouts/navbar.ex:19
#: lib/mv_web/live/member_live/index.ex:10
#: lib/mv_web/live/member_live/index.html.heex:3
#, elixir-autogen, elixir-format
msgid "Members"
@ -367,7 +367,7 @@ msgstr ""
msgid "Please select a property type first"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:89
#: lib/mv_web/components/layouts/navbar.ex:88
#, elixir-autogen, elixir-format
msgid "Profil"
msgstr ""
@ -412,7 +412,7 @@ msgstr ""
msgid "Select member"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:92
#: lib/mv_web/components/layouts/navbar.ex:91
#, elixir-autogen, elixir-format
msgid "Settings"
msgstr ""
@ -469,13 +469,13 @@ msgid "Value type"
msgstr ""
#: lib/mv_web/components/table_components.ex:30
#: lib/mv_web/live/components/sort_header_component.ex:55
#: lib/mv_web/live/components/sort_header_component.ex:57
#, elixir-autogen, elixir-format
msgid "ascending"
msgstr ""
#: lib/mv_web/components/table_components.ex:30
#: lib/mv_web/live/components/sort_header_component.ex:56
#: lib/mv_web/live/components/sort_header_component.ex:58
#, elixir-autogen, elixir-format
msgid "descending"
msgstr ""
@ -587,14 +587,14 @@ msgstr ""
msgid "Back to users list"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:27
#: lib/mv_web/components/layouts/navbar.ex:33
#: lib/mv_web/components/layouts/navbar.ex:26
#: lib/mv_web/components/layouts/navbar.ex:32
#, elixir-autogen, elixir-format
msgid "Select language"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:40
#: lib/mv_web/components/layouts/navbar.ex:60
#: lib/mv_web/components/layouts/navbar.ex:39
#: lib/mv_web/components/layouts/navbar.ex:59
#, elixir-autogen, elixir-format
msgid "Toggle dark mode"
msgstr ""
@ -608,12 +608,46 @@ msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:20
#, elixir-autogen, elixir-format
msgid "Users"
#: lib/mv_web/live/components/sort_header_component.ex:60
msgstr ""
#: lib/mv_web/live/components/sort_header_component.ex:59
#: lib/mv_web/live/components/sort_header_component.ex:63
#, elixir-autogen, elixir-format
msgid "Click to sort"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:53
#: lib/mv_web/live/member_live/index.html.heex:60
#, elixir-autogen, elixir-format
msgid "First name"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:167
#, elixir-autogen, elixir-format
msgid "An account with this email already exists. Please verify your password to link your OIDC account."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:77
#, elixir-autogen, elixir-format
msgid "Unable to authenticate with OIDC. Please try again."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:152
#, elixir-autogen, elixir-format
msgid "Unable to sign in. Please try again."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:92
#: lib/mv_web/controllers/auth_controller.ex:97
#, elixir-autogen, elixir-format
msgid "Authentication failed. Please try again."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:124
#, elixir-autogen, elixir-format
msgid "Cannot update email: This email is already registered to another account. Please change your email in the identity provider."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:130
#, elixir-autogen, elixir-format
msgid "This email is already linked to a different OIDC account. Cannot link multiple OIDC providers to the same account."
msgstr ""

79
priv/gettext/en/LC_MESSAGES/auth.po
View file

@ -32,6 +32,8 @@ msgstr ""
msgid "Need an account?"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:268
#, elixir-autogen
msgid "Password"
msgstr ""
@ -59,5 +61,78 @@ msgstr ""
msgid "Your password has successfully been reset"
msgstr ""
#~ msgid "Sign in with Rauthy"
#~ msgstr "Sign in with Vereinscloud"
#: lib/mv_web/live/auth/link_oidc_account_live.ex:254
#, elixir-autogen, elixir-format
msgid "An account with email %{email} already exists. Please enter your password to link your OIDC account."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:289
#, elixir-autogen, elixir-format
msgid "Cancel"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:163
#, elixir-autogen, elixir-format
msgid "Incorrect password. Please try again."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:37
#, elixir-autogen, elixir-format
msgid "Invalid session. Please try again."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:281
#, elixir-autogen, elixir-format
msgid "Link Account"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:252
#, elixir-autogen, elixir-format
msgid "Link OIDC Account"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:280
#, elixir-autogen, elixir-format
msgid "Linking..."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:40
#, elixir-autogen, elixir-format
msgid "Session expired. Please try again."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:209
#, elixir-autogen, elixir-format
msgid "Your OIDC account has been successfully linked! Redirecting to complete sign-in..."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:76
#, elixir-autogen, elixir-format
msgid "Account activated! Redirecting to complete sign-in..."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:119
#: lib/mv_web/live/auth/link_oidc_account_live.ex:123
#, elixir-autogen, elixir-format
msgid "Failed to link account. Please try again or contact support."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:108
#, elixir-autogen, elixir-format
msgid "The email address from your OIDC provider is already registered to another account. Please change your email in the identity provider or contact support."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:98
#, elixir-autogen, elixir-format
msgid "This OIDC account is already linked to another user. Please contact support."
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:235
#, elixir-autogen, elixir-format
msgid "Language selection"
msgstr ""
#: lib/mv_web/live/auth/link_oidc_account_live.ex:242
#, elixir-autogen, elixir-format
msgid "Select language"
msgstr ""

156
priv/gettext/en/LC_MESSAGES/default.po
View file

@ -16,7 +16,7 @@ msgstr ""
msgid "Actions"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:193
#: lib/mv_web/live/member_live/index.html.heex:200
#: lib/mv_web/live/user_live/index.html.heex:65
#, elixir-autogen, elixir-format
msgid "Are you sure?"
@ -29,19 +29,19 @@ msgid "Attempting to reconnect"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:25
#: lib/mv_web/live/member_live/index.html.heex:138
#: lib/mv_web/live/member_live/show.ex:36
#: lib/mv_web/live/member_live/index.html.heex:145
#: lib/mv_web/live/member_live/show.ex:37
#, elixir-autogen, elixir-format
msgid "City"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:195
#: lib/mv_web/live/member_live/index.html.heex:202
#: lib/mv_web/live/user_live/index.html.heex:67
#, elixir-autogen, elixir-format
msgid "Delete"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:187
#: lib/mv_web/live/member_live/index.html.heex:194
#: lib/mv_web/live/user_live/form.ex:109
#: lib/mv_web/live/user_live/index.html.heex:59
#, elixir-autogen, elixir-format
@ -55,8 +55,8 @@ msgid "Edit Member"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:18
#: lib/mv_web/live/member_live/index.html.heex:70
#: lib/mv_web/live/member_live/show.ex:27
#: lib/mv_web/live/member_live/index.html.heex:77
#: lib/mv_web/live/member_live/show.ex:28
#: lib/mv_web/live/user_live/form.ex:14
#: lib/mv_web/live/user_live/index.html.heex:44
#: lib/mv_web/live/user_live/show.ex:25
@ -71,8 +71,8 @@ msgid "First Name"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:22
#: lib/mv_web/live/member_live/index.html.heex:172
#: lib/mv_web/live/member_live/show.ex:33
#: lib/mv_web/live/member_live/index.html.heex:179
#: lib/mv_web/live/member_live/show.ex:34
#, elixir-autogen, elixir-format
msgid "Join Date"
msgstr ""
@ -88,7 +88,7 @@ msgstr ""
msgid "New Member"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:184
#: lib/mv_web/live/member_live/index.html.heex:191
#: lib/mv_web/live/user_live/index.html.heex:56
#, elixir-autogen, elixir-format
msgid "Show"
@ -128,8 +128,8 @@ msgid "Exit Date"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:27
#: lib/mv_web/live/member_live/index.html.heex:104
#: lib/mv_web/live/member_live/show.ex:38
#: lib/mv_web/live/member_live/index.html.heex:111
#: lib/mv_web/live/member_live/show.ex:39
#, elixir-autogen, elixir-format
msgid "House Number"
msgstr ""
@ -147,15 +147,15 @@ msgid "Paid"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:21
#: lib/mv_web/live/member_live/index.html.heex:155
#: lib/mv_web/live/member_live/show.ex:32
#: lib/mv_web/live/member_live/index.html.heex:162
#: lib/mv_web/live/member_live/show.ex:33
#, elixir-autogen, elixir-format
msgid "Phone Number"
msgstr ""
#: lib/mv_web/live/member_live/form.ex:28
#: lib/mv_web/live/member_live/index.html.heex:121
#: lib/mv_web/live/member_live/show.ex:39
#: lib/mv_web/live/member_live/index.html.heex:128
#: lib/mv_web/live/member_live/show.ex:40
#, elixir-autogen, elixir-format
msgid "Postal Code"
msgstr ""
@ -174,8 +174,8 @@ msgid "Saving..."
msgstr ""
#: lib/mv_web/live/member_live/form.ex:26
#: lib/mv_web/live/member_live/index.html.heex:87
#: lib/mv_web/live/member_live/show.ex:37
#: lib/mv_web/live/member_live/index.html.heex:94
#: lib/mv_web/live/member_live/show.ex:38
#, elixir-autogen, elixir-format
msgid "Street"
msgstr ""
@ -224,7 +224,7 @@ msgstr ""
msgid "update"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:43
#: lib/mv_web/controllers/auth_controller.ex:60
#, elixir-autogen, elixir-format
msgid "Incorrect email or password"
msgstr ""
@ -234,27 +234,27 @@ msgstr ""
msgid "Member %{action} successfully"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:14
#: lib/mv_web/controllers/auth_controller.ex:26
#, elixir-autogen, elixir-format
msgid "You are now signed in"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:56
#: lib/mv_web/controllers/auth_controller.ex:186
#, elixir-autogen, elixir-format
msgid "You are now signed out"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:37
#: lib/mv_web/controllers/auth_controller.ex:85
#, elixir-autogen, elixir-format
msgid "You have already signed in another way, but have not confirmed your account.\nYou can confirm your account using the link we sent to you, or by resetting your password.\n"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:12
#: lib/mv_web/controllers/auth_controller.ex:24
#, elixir-autogen, elixir-format
msgid "Your email address has now been confirmed"
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:13
#: lib/mv_web/controllers/auth_controller.ex:25
#, elixir-autogen, elixir-format
msgid "Your password has successfully been reset"
msgstr ""
@ -302,7 +302,7 @@ msgstr ""
msgid "Immutable"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:94
#: lib/mv_web/components/layouts/navbar.ex:93
#, elixir-autogen, elixir-format
msgid "Logout"
msgstr ""
@ -318,8 +318,8 @@ msgstr ""
msgid "Member"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:14
#: lib/mv_web/live/member_live/index.ex:8
#: lib/mv_web/components/layouts/navbar.ex:19
#: lib/mv_web/live/member_live/index.ex:10
#: lib/mv_web/live/member_live/index.html.heex:3
#, elixir-autogen, elixir-format
msgid "Members"
@ -367,7 +367,7 @@ msgstr ""
msgid "Please select a property type first"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:89
#: lib/mv_web/components/layouts/navbar.ex:88
#, elixir-autogen, elixir-format
msgid "Profil"
msgstr ""
@ -412,7 +412,7 @@ msgstr ""
msgid "Select member"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:92
#: lib/mv_web/components/layouts/navbar.ex:91
#, elixir-autogen, elixir-format
msgid "Settings"
msgstr ""
@ -469,13 +469,13 @@ msgid "Value type"
msgstr ""
#: lib/mv_web/components/table_components.ex:30
#: lib/mv_web/live/components/sort_header_component.ex:55
#: lib/mv_web/live/components/sort_header_component.ex:57
#, elixir-autogen, elixir-format
msgid "ascending"
msgstr ""
#: lib/mv_web/components/table_components.ex:30
#: lib/mv_web/live/components/sort_header_component.ex:56
#: lib/mv_web/live/components/sort_header_component.ex:58
#, elixir-autogen, elixir-format
msgid "descending"
msgstr ""
@ -555,17 +555,99 @@ msgstr "Set Password"
msgid "User will be created without a password. Check 'Set Password' to add one."
msgstr "User will be created without a password. Check 'Set Password' to add one."
#: lib/mv_web/live/components/sort_header_component.ex:60
#: lib/mv_web/live/user_live/show.ex:30
#, elixir-autogen, elixir-format, fuzzy
msgid "Linked Member"
msgstr ""
#: lib/mv_web/live/member_live/show.ex:41
#, elixir-autogen, elixir-format
msgid "Linked User"
msgstr ""
#: lib/mv_web/live/user_live/show.ex:40
#, elixir-autogen, elixir-format
msgid "No member linked"
msgstr ""
#: lib/mv_web/live/member_live/show.ex:51
#, elixir-autogen, elixir-format
msgid "No user linked"
msgstr ""
#: lib/mv_web/live/member_live/show.ex:14
#: lib/mv_web/live/member_live/show.ex:16
#, elixir-autogen, elixir-format
msgid "Back to members list"
msgstr ""
#: lib/mv_web/live/user_live/show.ex:13
#: lib/mv_web/live/user_live/show.ex:15
#, elixir-autogen, elixir-format
msgid "Back to users list"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:26
#: lib/mv_web/components/layouts/navbar.ex:32
#, elixir-autogen, elixir-format, fuzzy
msgid "Select language"
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:39
#: lib/mv_web/components/layouts/navbar.ex:59
#, elixir-autogen, elixir-format
msgid "Toggle dark mode"
msgstr ""
#: lib/mv_web/live/components/search_bar_component.ex:15
#: lib/mv_web/live/member_live/index.html.heex:15
#, elixir-autogen, elixir-format
msgid "Search..."
msgstr ""
#: lib/mv_web/components/layouts/navbar.ex:20
#, elixir-autogen, elixir-format, fuzzy
msgid "Users"
msgstr ""
#: lib/mv_web/live/components/sort_header_component.ex:59
#: lib/mv_web/live/components/sort_header_component.ex:63
#, elixir-autogen, elixir-format
msgid "Click to sort"
msgstr ""
#: lib/mv_web/live/member_live/index.html.heex:53
#: lib/mv_web/live/member_live/index.html.heex:60
#, elixir-autogen, elixir-format, fuzzy
msgid "First name"
msgstr ""
#~ #: lib/mv_web/auth_overrides.ex:30
#~ #, elixir-autogen, elixir-format
#~ msgid "or"
#~ msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:167
#, elixir-autogen, elixir-format
msgid "An account with this email already exists. Please verify your password to link your OIDC account."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:77
#, elixir-autogen, elixir-format
msgid "Unable to authenticate with OIDC. Please try again."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:152
#, elixir-autogen, elixir-format
msgid "Unable to sign in. Please try again."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:92
#: lib/mv_web/controllers/auth_controller.ex:97
#, elixir-autogen, elixir-format
msgid "Authentication failed. Please try again."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:124
#, elixir-autogen, elixir-format
msgid "Cannot update email: This email is already registered to another account. Please change your email in the identity provider."
msgstr ""
#: lib/mv_web/controllers/auth_controller.ex:130
#, elixir-autogen, elixir-format
msgid "This email is already linked to a different OIDC account. Cannot link multiple OIDC providers to the same account."
msgstr ""

265
test/accounts/user_authentication_test.exs Normal file
View file

@ -0,0 +1,265 @@
defmodule Mv.Accounts.UserAuthenticationTest do
@moduledoc """
Tests for user authentication and identification mechanisms.
This test suite verifies that:
- Password login correctly identifies users via email
- OIDC login correctly identifies users via oidc_id
- Session identifiers work as expected for both authentication methods
"""
use MvWeb.ConnCase, async: true
require Ash.Query
describe "Password authentication user identification" do
@tag :test_proposal
test "password login uses email as identifier" do
# Create a user with password authentication (no oidc_id)
user =
create_test_user(%{
email: "password.user@example.com",
password: "securepassword123",
oidc_id: nil
})
# Verify that the user can be found by email
email_to_find = to_string(user.email)
{:ok, users} =
Mv.Accounts.User
|> Ash.Query.filter(email == ^email_to_find)
|> Ash.read()
assert length(users) == 1
found_user = List.first(users)
assert found_user.id == user.id
assert to_string(found_user.email) == "password.user@example.com"
assert is_nil(found_user.oidc_id)
end
@tag :test_proposal
test "password authentication uses email as identity_field" do
# Verify the configuration: password strategy should use email as identity_field
# This test checks the AshAuthentication configuration
strategies = AshAuthentication.Info.authentication_strategies(Mv.Accounts.User)
password_strategy = Enum.find(strategies, fn s -> s.name == :password end)
assert password_strategy != nil
assert password_strategy.identity_field == :email
end
@tag :test_proposal
test "multiple users can exist with different emails" do
user1 =
create_test_user(%{
email: "user1@example.com",
password: "password123",
oidc_id: nil
})
user2 =
create_test_user(%{
email: "user2@example.com",
password: "password456",
oidc_id: nil
})
assert user1.id != user2.id
assert to_string(user1.email) != to_string(user2.email)
end
@tag :test_proposal
test "users with same password but different emails are separate accounts" do
same_password = "shared_password_123"
user1 =
create_test_user(%{
email: "alice@example.com",
password: same_password,
oidc_id: nil
})
user2 =
create_test_user(%{
email: "bob@example.com",
password: same_password,
oidc_id: nil
})
# Different users despite same password
assert user1.id != user2.id
# Both passwords should hash to different values (bcrypt uses salt)
assert user1.hashed_password != user2.hashed_password
end
end
describe "OIDC authentication user identification" do
@tag :test_proposal
test "OIDC login with matching oidc_id finds correct user" do
# Create user with OIDC authentication
user =
create_test_user(%{
email: "oidc.user@example.com",
oidc_id: "oidc_identifier_12345"
})
# Simulate OIDC callback
user_info = %{
"sub" => "oidc_identifier_12345",
"preferred_username" => "oidc.user@example.com"
}
# Use sign_in_with_rauthy to find user by oidc_id
# Note: This test will FAIL until we implement the security fix
# that changes the filter from email to oidc_id
result =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
case result do
{:ok, [found_user]} ->
assert found_user.id == user.id
assert found_user.oidc_id == "oidc_identifier_12345"
{:ok, []} ->
flunk("User should be found by oidc_id")
{:error, error} ->
flunk("Unexpected error: #{inspect(error)}")
end
end
@tag :test_proposal
test "OIDC login creates new user when both email and oidc_id are new" do
# Completely new user from OIDC provider
user_info = %{
"sub" => "brand_new_oidc_789",
"preferred_username" => "newuser@example.com"
}
# Should create via register_with_rauthy
{:ok, new_user} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
assert to_string(new_user.email) == "newuser@example.com"
assert new_user.oidc_id == "brand_new_oidc_789"
assert is_nil(new_user.hashed_password)
end
@tag :test_proposal
test "OIDC user can be uniquely identified by oidc_id" do
user1 =
create_test_user(%{
email: "user1@example.com",
oidc_id: "oidc_unique_1"
})
user2 =
create_test_user(%{
email: "user2@example.com",
oidc_id: "oidc_unique_2"
})
# Find by oidc_id
{:ok, users1} =
Mv.Accounts.User
|> Ash.Query.filter(oidc_id == "oidc_unique_1")
|> Ash.read()
{:ok, users2} =
Mv.Accounts.User
|> Ash.Query.filter(oidc_id == "oidc_unique_2")
|> Ash.read()
assert length(users1) == 1
assert length(users2) == 1
assert List.first(users1).id == user1.id
assert List.first(users2).id == user2.id
end
end
describe "Mixed authentication scenarios" do
@tag :test_proposal
test "user with oidc_id cannot be found by email-only query in sign_in_with_rauthy" do
# This test verifies the security fix: sign_in_with_rauthy should NOT
# match users by email, only by oidc_id
_user =
create_test_user(%{
email: "secure@example.com",
oidc_id: "secure_oidc_999"
})
# Try to sign in with DIFFERENT oidc_id but SAME email
user_info = %{
# Different oidc_id!
"sub" => "attacker_oidc_888",
# Same email
"preferred_username" => "secure@example.com"
}
# Should NOT find the user (security requirement)
result =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Either returns empty list OR authentication error - both mean "user not found"
case result do
{:ok, []} ->
:ok
{:error, %Ash.Error.Forbidden{errors: [%AshAuthentication.Errors.AuthenticationFailed{}]}} ->
:ok
other ->
flunk("sign_in_with_rauthy should not match by email alone, got: #{inspect(other)}")
end
end
@tag :test_proposal
test "password user (oidc_id=nil) is not found by sign_in_with_rauthy" do
# Create a password-only user
_user =
create_test_user(%{
email: "password.only@example.com",
password: "securepass123",
oidc_id: nil
})
# Try OIDC sign-in with this email
user_info = %{
"sub" => "new_oidc_777",
"preferred_username" => "password.only@example.com"
}
# Should NOT find the user because oidc_id is nil
result =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Either returns empty list OR authentication error - both mean "user not found"
case result do
{:ok, []} ->
:ok
{:error, %Ash.Error.Forbidden{errors: [%AshAuthentication.Errors.AuthenticationFailed{}]}} ->
:ok
other ->
flunk(
"Password-only user should not be found by sign_in_with_rauthy, got: #{inspect(other)}"
)
end
end
end
end

415
test/mv_web/controllers/oidc_e2e_flow_test.exs Normal file
View file

@ -0,0 +1,415 @@
defmodule MvWeb.OidcE2EFlowTest do
@moduledoc """
End-to-end tests for OIDC authentication flows.
These tests simulate the complete user journey through OIDC authentication,
including account linking scenarios.
"""
use MvWeb.ConnCase, async: true
require Ash.Query
describe "E2E: New OIDC user registration" do
test "new user can register via OIDC", %{conn: _conn} do
# Simulate OIDC callback for brand new user
user_info = %{
"sub" => "new_oidc_user_123",
"preferred_username" => "newuser@example.com"
}
# Call register action
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
assert {:ok, new_user} = result
assert to_string(new_user.email) == "newuser@example.com"
assert new_user.oidc_id == "new_oidc_user_123"
assert is_nil(new_user.hashed_password)
# Verify user can be found by oidc_id
{:ok, [found_user]} =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
assert found_user.id == new_user.id
end
end
describe "E2E: Existing OIDC user sign-in" do
test "existing OIDC user can sign in and email updates", %{conn: _conn} do
# Create OIDC user
user =
create_test_user(%{
email: "oldmail@example.com",
oidc_id: "oidc_existing_999"
})
# User changed email at OIDC provider
updated_user_info = %{
"sub" => "oidc_existing_999",
"preferred_username" => "newmail@example.com"
}
# Register (upsert) with new email
{:ok, updated_user} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: updated_user_info,
oauth_tokens: %{}
})
# Same user, updated email
assert updated_user.id == user.id
assert to_string(updated_user.email) == "newmail@example.com"
assert updated_user.oidc_id == "oidc_existing_999"
end
end
describe "E2E: OIDC with existing password account (Email Collision)" do
test "OIDC registration with password account email triggers PasswordVerificationRequired",
%{conn: _conn} do
# Step 1: Create a password-only user
password_user =
create_test_user(%{
email: "collision@example.com",
password: "mypassword123",
oidc_id: nil
})
# Step 2: Try to register via OIDC with same email
user_info = %{
"sub" => "oidc_new_777",
"preferred_username" => "collision@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Step 3: Should fail with PasswordVerificationRequired
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
password_error =
Enum.find(errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
assert password_error != nil
assert password_error.user_id == password_user.id
assert password_error.oidc_user_info["sub"] == "oidc_new_777"
assert password_error.oidc_user_info["preferred_username"] == "collision@example.com"
end
test "full E2E flow: OIDC collision -> password verification -> account linked",
%{conn: _conn} do
# Step 1: Create password user
password_user =
create_test_user(%{
email: "full@example.com",
password: "testpass123",
oidc_id: nil
})
# Step 2: OIDC registration triggers error
user_info = %{
"sub" => "oidc_link_888",
"preferred_username" => "full@example.com"
}
{:error, %Ash.Error.Invalid{errors: errors}} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Extract the error
password_error =
Enum.find(errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
assert password_error != nil
# Step 3: User verifies password (this would happen in LiveView)
# Here we simulate successful password verification
# Step 4: Link OIDC account after verification
{:ok, linked_user} =
Mv.Accounts.User
|> Ash.Query.filter(id == ^password_user.id)
|> Ash.read_one!()
|> Ash.Changeset.for_update(:link_oidc_id, %{
oidc_id: user_info["sub"],
oidc_user_info: user_info
})
|> Ash.update()
# Verify account is now linked
assert linked_user.id == password_user.id
assert linked_user.oidc_id == "oidc_link_888"
assert to_string(linked_user.email) == "full@example.com"
# Password should still exist
assert linked_user.hashed_password == password_user.hashed_password
# Step 5: User can now sign in via OIDC
{:ok, [signed_in_user]} =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
assert signed_in_user.id == password_user.id
assert signed_in_user.oidc_id == "oidc_link_888"
end
test "E2E: OIDC collision with different email at provider updates email after linking",
%{conn: _conn} do
# Password user with old email
password_user =
create_test_user(%{
email: "old@example.com",
password: "pass123",
oidc_id: nil
})
# OIDC provider has new email
user_info = %{
"sub" => "oidc_new_email_555",
"preferred_username" => "old@example.com"
}
# Collision detected
{:error, %Ash.Error.Invalid{}} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# After password verification, link with OIDC info that has NEW email
updated_user_info = %{
"sub" => "oidc_new_email_555",
"preferred_username" => "new@example.com"
}
{:ok, linked_user} =
Mv.Accounts.User
|> Ash.Query.filter(id == ^password_user.id)
|> Ash.read_one!()
|> Ash.Changeset.for_update(:link_oidc_id, %{
oidc_id: updated_user_info["sub"],
oidc_user_info: updated_user_info
})
|> Ash.update()
# Email should be updated to match OIDC provider
assert to_string(linked_user.email) == "new@example.com"
assert linked_user.oidc_id == "oidc_new_email_555"
end
end
describe "E2E: OIDC with linked member" do
test "E2E: email sync to member when linking OIDC to password account", %{conn: _conn} do
# Create member
member =
Ash.Seed.seed!(Mv.Membership.Member, %{
email: "member@example.com",
first_name: "Test",
last_name: "User"
})
# Create password user linked to member
password_user =
Ash.Seed.seed!(Mv.Accounts.User, %{
email: "member@example.com",
hashed_password: "dummy_hash",
oidc_id: nil,
member_id: member.id
})
# OIDC registration with same email
user_info = %{
"sub" => "oidc_member_333",
"preferred_username" => "member@example.com"
}
# Collision detected
{:error, %Ash.Error.Invalid{}} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# After password verification, link OIDC with NEW email
updated_user_info = %{
"sub" => "oidc_member_333",
"preferred_username" => "newmember@example.com"
}
{:ok, linked_user} =
Mv.Accounts.User
|> Ash.Query.filter(id == ^password_user.id)
|> Ash.read_one!()
|> Ash.Changeset.for_update(:link_oidc_id, %{
oidc_id: updated_user_info["sub"],
oidc_user_info: updated_user_info
})
|> Ash.update()
# User email updated
assert to_string(linked_user.email) == "newmember@example.com"
# Member email should be synced
{:ok, updated_member} = Ash.get(Mv.Membership.Member, member.id)
assert to_string(updated_member.email) == "newmember@example.com"
end
end
describe "E2E: Security scenarios" do
test "E2E: password-only user cannot be accessed via OIDC without password", %{conn: _conn} do
# Create password user
_password_user =
create_test_user(%{
email: "secure@example.com",
password: "securepass123",
oidc_id: nil
})
# Attacker tries to sign in via OIDC with same email
user_info = %{
"sub" => "attacker_oidc_666",
"preferred_username" => "secure@example.com"
}
# Sign-in should fail (no matching oidc_id)
result =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
case result do
{:ok, []} ->
:ok
{:error, %Ash.Error.Forbidden{}} ->
:ok
other ->
flunk("Expected no access, got: #{inspect(other)}")
end
# Registration should trigger password requirement
{:error, %Ash.Error.Invalid{errors: errors}} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
assert Enum.any?(errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
test "E2E: user with oidc_id cannot be hijacked by different OIDC provider", %{conn: _conn} do
# User linked to OIDC provider A
_user =
create_test_user(%{
email: "linked@example.com",
oidc_id: "provider_a_123"
})
# Attacker tries to register with OIDC provider B using same email
user_info = %{
"sub" => "provider_b_456",
"preferred_username" => "linked@example.com"
}
# Should trigger hard error (not PasswordVerificationRequired)
{:error, %Ash.Error.Invalid{errors: errors}} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Should have hard error about "already linked to a different OIDC account"
assert Enum.any?(errors, fn
%Ash.Error.Changes.InvalidAttribute{message: msg} ->
String.contains?(msg, "already linked to a different OIDC account")
_ ->
false
end)
# Should NOT be PasswordVerificationRequired
refute Enum.any?(errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
test "E2E: empty string oidc_id is treated as password-only account", %{conn: _conn} do
# User with empty oidc_id
_password_user =
create_test_user(%{
email: "empty@example.com",
password: "pass123",
oidc_id: ""
})
# Try OIDC registration
user_info = %{
"sub" => "oidc_new_222",
"preferred_username" => "empty@example.com"
}
{:error, %Ash.Error.Invalid{errors: errors}} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Should require password (empty string = no OIDC)
assert Enum.any?(errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
end
describe "E2E: Error scenarios" do
test "E2E: OIDC registration without oidc_id fails", %{conn: _conn} do
user_info = %{
"preferred_username" => "noid@example.com"
}
{:error, %Ash.Error.Invalid{errors: errors}} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
assert Enum.any?(errors, fn err ->
match?(%Ash.Error.Changes.InvalidChanges{}, err)
end)
end
test "E2E: OIDC registration without email fails", %{conn: _conn} do
user_info = %{
"sub" => "noemail_123"
}
{:error, %Ash.Error.Invalid{errors: errors}} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
assert Enum.any?(errors, fn err ->
match?(%Ash.Error.Changes.Required{field: :email}, err)
end)
end
end
end

271
test/mv_web/controllers/oidc_email_update_test.exs Normal file
View file

@ -0,0 +1,271 @@
defmodule MvWeb.OidcEmailUpdateTest do
@moduledoc """
Tests for OIDC email updates - when an existing OIDC user changes their email
in the OIDC provider and logs in again.
"""
use MvWeb.ConnCase, async: true
describe "OIDC user updates email to available email" do
test "should succeed and update email" do
# Create OIDC user
{:ok, oidc_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "original@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_123")
|> Ash.create()
# User logs in via OIDC with NEW email
user_info = %{
"sub" => "oidc_123",
"preferred_username" => "newemail@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should succeed and email should be updated
assert {:ok, updated_user} = result
assert updated_user.id == oidc_user.id
assert to_string(updated_user.email) == "newemail@example.com"
assert updated_user.oidc_id == "oidc_123"
end
end
describe "OIDC user updates email to email of passwordless user" do
test "should fail with clear error message" do
# Create OIDC user
{:ok, _oidc_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "oidcuser@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_456")
|> Ash.create()
# Create passwordless user with target email
{:ok, _passwordless_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "taken@example.com"
})
|> Ash.create()
# OIDC user tries to update email to taken email
user_info = %{
"sub" => "oidc_456",
"preferred_username" => "taken@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail with email update conflict error
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
# Should contain error about email being registered to another account
assert Enum.any?(errors, fn
%Ash.Error.Changes.InvalidAttribute{field: :email, message: message} ->
String.contains?(message, "Cannot update email to") and
String.contains?(message, "already registered to another account")
_ ->
false
end)
# Should NOT contain PasswordVerificationRequired
refute Enum.any?(errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
end
describe "OIDC user updates email to email of password-protected user" do
test "should fail with clear error message" do
# Create OIDC user
{:ok, _oidc_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "oidcuser2@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_789")
|> Ash.create()
# Create password user with target email (explicitly NO oidc_id)
password_user =
create_test_user(%{
email: "passworduser@example.com",
password: "securepass123"
})
# Ensure it's a password-only user
{:ok, password_user} = Ash.reload(password_user)
assert not is_nil(password_user.hashed_password)
# Force oidc_id to be nil to avoid any confusion
{:ok, password_user} =
password_user
|> Ash.Changeset.for_update(:update, %{})
|> Ash.Changeset.force_change_attribute(:oidc_id, nil)
|> Ash.update()
assert is_nil(password_user.oidc_id)
# OIDC user tries to update email to password user's email
user_info = %{
"sub" => "oidc_789",
"preferred_username" => "passworduser@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail with email update conflict error
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
# Should contain error about email being registered to another account
assert Enum.any?(errors, fn
%Ash.Error.Changes.InvalidAttribute{field: :email, message: message} ->
String.contains?(message, "Cannot update email to") and
String.contains?(message, "already registered to another account")
_ ->
false
end)
# Should NOT contain PasswordVerificationRequired
refute Enum.any?(errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
end
describe "OIDC user updates email to email of different OIDC user" do
test "should fail with clear error message about different OIDC account" do
# Create first OIDC user
{:ok, _oidc_user1} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "oidcuser1@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_aaa")
|> Ash.create()
# Create second OIDC user with target email
{:ok, _oidc_user2} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "oidcuser2@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_bbb")
|> Ash.create()
# First OIDC user tries to update email to second user's email
user_info = %{
"sub" => "oidc_aaa",
"preferred_username" => "oidcuser2@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail with "already linked to different OIDC account" error
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
# Should contain error about different OIDC account
assert Enum.any?(errors, fn
%Ash.Error.Changes.InvalidAttribute{field: :email, message: message} ->
String.contains?(message, "already linked to a different OIDC account")
_ ->
false
end)
# Should NOT contain PasswordVerificationRequired
refute Enum.any?(errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
end
describe "New OIDC user registration scenarios (for comparison)" do
test "new OIDC user with email of passwordless user triggers linking flow" do
# Create passwordless user
{:ok, passwordless_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "passwordless@example.com"
})
|> Ash.create()
# New OIDC user tries to register
user_info = %{
"sub" => "new_oidc_999",
"preferred_username" => "passwordless@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should trigger PasswordVerificationRequired (linking flow)
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
assert Enum.any?(errors, fn
%Mv.Accounts.User.Errors.PasswordVerificationRequired{user_id: user_id} ->
user_id == passwordless_user.id
_ ->
false
end)
end
test "new OIDC user with email of existing OIDC user shows hard error" do
# Create existing OIDC user
{:ok, _existing_oidc_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "existing@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "oidc_existing")
|> Ash.create()
# New OIDC user tries to register with same email
user_info = %{
"sub" => "oidc_new",
"preferred_username" => "existing@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail with "already linked to different OIDC account" error
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
assert Enum.any?(errors, fn
%Ash.Error.Changes.InvalidAttribute{field: :email, message: message} ->
String.contains?(message, "already linked to a different OIDC account")
_ ->
false
end)
end
end
end

136
test/mv_web/controllers/oidc_integration_test.exs
View file

@ -54,8 +54,128 @@ defmodule MvWeb.OidcIntegrationTest do
end
end
describe "OIDC sign-in security tests" do
@tag :test_proposal
test "sign_in_with_rauthy does NOT match user with only email (no oidc_id)" do
# SECURITY TEST: Ensure password-only users cannot be accessed via OIDC
# Create a password-only user (no oidc_id)
_password_user =
create_test_user(%{
email: "password.only@example.com",
password: "securepassword123",
oidc_id: nil
})
# Try to sign in with OIDC using the same email
user_info = %{
"sub" => "attacker_oidc_456",
"preferred_username" => "password.only@example.com"
}
# Should NOT find any user (security requirement)
result =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Either returns empty list OR authentication error - both mean "user not found"
case result do
{:ok, []} ->
:ok
{:error, %Ash.Error.Forbidden{errors: [%AshAuthentication.Errors.AuthenticationFailed{}]}} ->
:ok
other ->
flunk("Expected no user match, got: #{inspect(other)}")
end
end
@tag :test_proposal
test "sign_in_with_rauthy only matches when oidc_id matches" do
# Create user with specific OIDC ID
user =
create_test_user(%{
email: "oidc.user@example.com",
oidc_id: "correct_oidc_789"
})
# Try with correct oidc_id
correct_user_info = %{
"sub" => "correct_oidc_789",
"preferred_username" => "oidc.user@example.com"
}
{:ok, [found_user]} =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: correct_user_info,
oauth_tokens: %{}
})
assert found_user.id == user.id
# Try with wrong oidc_id but correct email
wrong_user_info = %{
"sub" => "wrong_oidc_999",
"preferred_username" => "oidc.user@example.com"
}
result =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: wrong_user_info,
oauth_tokens: %{}
})
# Either returns empty list OR authentication error - both mean "user not found"
case result do
{:ok, []} ->
:ok
{:error, %Ash.Error.Forbidden{errors: [%AshAuthentication.Errors.AuthenticationFailed{}]}} ->
:ok
other ->
flunk("Expected no user match when oidc_id differs, got: #{inspect(other)}")
end
end
@tag :test_proposal
test "sign_in_with_rauthy does not match user with empty string oidc_id" do
# Edge case: empty string should be treated like nil
_user =
create_test_user(%{
email: "empty.oidc@example.com",
oidc_id: ""
})
user_info = %{
"sub" => "new_oidc_111",
"preferred_username" => "empty.oidc@example.com"
}
result =
Mv.Accounts.read_sign_in_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Either returns empty list OR authentication error - both mean "user not found"
case result do
{:ok, []} ->
:ok
{:error, %Ash.Error.Forbidden{errors: [%AshAuthentication.Errors.AuthenticationFailed{}]}} ->
:ok
other ->
flunk("Expected no user match with empty oidc_id, got: #{inspect(other)}")
end
end
end
describe "OIDC error and edge case scenarios" do
test "OIDC registration with conflicting email and OIDC ID shows error" do
test "OIDC registration with conflicting email and OIDC ID shows hard error" do
# Create user with email and OIDC ID
_existing_user =
create_test_user(%{
@ -75,16 +195,24 @@ defmodule MvWeb.OidcIntegrationTest do
oauth_tokens: %{}
})
# Should fail due to unique constraint
# Should fail with hard error (not PasswordVerificationRequired)
# This prevents someone with OIDC provider B from taking over an account
# that's already linked to OIDC provider A
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
# Should contain error about "already linked to a different OIDC account"
assert Enum.any?(errors, fn
%Ash.Error.Changes.InvalidAttribute{field: :email, message: message} ->
String.contains?(message, "has already been taken")
%Ash.Error.Changes.InvalidAttribute{message: msg} ->
String.contains?(msg, "already linked to a different OIDC account")
_ ->
false
end)
# Should NOT be PasswordVerificationRequired
refute Enum.any?(errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
test "OIDC registration with missing sub and id should fail" do

496
test/mv_web/controllers/oidc_password_linking_test.exs Normal file
View file

@ -0,0 +1,496 @@
defmodule MvWeb.OidcPasswordLinkingTest do
@moduledoc """
Tests for OIDC account linking when email collision occurs.
This test suite verifies the security flow when an OIDC login attempts
to use an email that already exists in the system with a password account.
"""
use MvWeb.ConnCase, async: true
require Ash.Query
describe "OIDC login with existing email (no oidc_id) - Email Collision" do
@tag :test_proposal
test "OIDC register with existing password user email fails with PasswordVerificationRequired" do
# Create password-only user
existing_user =
create_test_user(%{
email: "existing@example.com",
password: "securepassword123",
oidc_id: nil
})
# Try OIDC registration with same email
user_info = %{
"sub" => "new_oidc_12345",
"preferred_username" => "existing@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Should fail with PasswordVerificationRequired error
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
# Check that the error is our custom PasswordVerificationRequired
password_verification_error =
Enum.find(errors, fn err ->
err.__struct__ == Mv.Accounts.User.Errors.PasswordVerificationRequired
end)
assert password_verification_error != nil,
"Should contain PasswordVerificationRequired error"
assert password_verification_error.user_id == existing_user.id
end
@tag :test_proposal
test "PasswordVerificationRequired error contains necessary context" do
existing_user =
create_test_user(%{
email: "test@example.com",
password: "password123",
oidc_id: nil
})
user_info = %{
"sub" => "oidc_99999",
"preferred_username" => "test@example.com"
}
{:error, %Ash.Error.Invalid{errors: errors}} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
password_error =
Enum.find(errors, fn err ->
err.__struct__ == Mv.Accounts.User.Errors.PasswordVerificationRequired
end)
# Verify error contains all necessary context
assert password_error.user_id == existing_user.id
assert password_error.oidc_user_info["sub"] == "oidc_99999"
assert password_error.oidc_user_info["preferred_username"] == "test@example.com"
end
@tag :test_proposal
test "after successful password verification, oidc_id can be set" do
# Create password user
user =
create_test_user(%{
email: "link@example.com",
password: "mypassword123",
oidc_id: nil
})
# Simulate password verification passed, now link OIDC
user_info = %{
"sub" => "linked_oidc_555",
"preferred_username" => "link@example.com"
}
# Use the link_oidc_id action
{:ok, updated_user} =
Mv.Accounts.User
|> Ash.Query.filter(id == ^user.id)
|> Ash.read_one!()
|> Ash.Changeset.for_update(:link_oidc_id, %{
oidc_id: user_info["sub"],
oidc_user_info: user_info
})
|> Ash.update()
assert updated_user.id == user.id
assert updated_user.oidc_id == "linked_oidc_555"
assert to_string(updated_user.email) == "link@example.com"
# Password should still exist
assert updated_user.hashed_password == user.hashed_password
end
@tag :test_proposal
test "password verification with wrong password keeps oidc_id as nil" do
# This test verifies that if password verification fails,
# the oidc_id should NOT be set
user =
create_test_user(%{
email: "secure@example.com",
password: "correctpassword",
oidc_id: nil
})
# This test verifies the CONCEPT that wrong password should prevent linking
# In practice, the password verification happens BEFORE calling link_oidc_id
# So we just verify that the user still has no oidc_id
# Attempt to verify with wrong password would fail in the controller/LiveView
# before link_oidc_id is called, so here we just verify the user state
# User should still have no oidc_id (no linking happened)
{:ok, unchanged_user} = Ash.get(Mv.Accounts.User, user.id)
assert is_nil(unchanged_user.oidc_id)
assert unchanged_user.hashed_password == user.hashed_password
end
end
describe "OIDC login with email of user having different oidc_id - Account Conflict" do
@tag :test_proposal
test "OIDC register with email of user having different oidc_id fails" do
# User already linked to OIDC provider A
_existing_user =
create_test_user(%{
email: "linked@example.com",
oidc_id: "oidc_provider_a_123"
})
# Someone tries to register with OIDC provider B using same email
user_info = %{
# Different OIDC ID!
"sub" => "oidc_provider_b_456",
"preferred_username" => "linked@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Should fail - cannot link different OIDC account to same email
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
# The error should indicate email is already taken
assert Enum.any?(errors, fn err ->
(err.__struct__ == Ash.Error.Changes.InvalidAttribute and err.field == :email) or
err.__struct__ == Mv.Accounts.User.Errors.PasswordVerificationRequired
end)
end
@tag :test_proposal
test "existing OIDC user email remains unchanged when oidc_id matches" do
user =
create_test_user(%{
email: "oidc@example.com",
oidc_id: "oidc_stable_789"
})
# Same OIDC ID, same email - should just sign in
user_info = %{
"sub" => "oidc_stable_789",
"preferred_username" => "oidc@example.com"
}
# This should work via upsert
{:ok, updated_user} =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
assert updated_user.id == user.id
assert updated_user.oidc_id == "oidc_stable_789"
assert to_string(updated_user.email) == "oidc@example.com"
end
end
describe "Email update during OIDC linking" do
@tag :test_proposal
test "linking OIDC to password account updates email if different in OIDC" do
# Password user with old email
user =
create_test_user(%{
email: "oldemail@example.com",
password: "password123",
oidc_id: nil
})
# OIDC provider returns new email (user changed it there)
user_info = %{
"sub" => "oidc_link_999",
"preferred_username" => "newemail@example.com"
}
# After password verification, link and update email
{:ok, updated_user} =
Mv.Accounts.User
|> Ash.Query.filter(id == ^user.id)
|> Ash.read_one!()
|> Ash.Changeset.for_update(:link_oidc_id, %{
oidc_id: user_info["sub"],
oidc_user_info: user_info
})
|> Ash.update()
assert updated_user.oidc_id == "oidc_link_999"
assert to_string(updated_user.email) == "newemail@example.com"
end
@tag :test_proposal
test "email change during linking triggers member email sync" do
# Create member
member =
Ash.Seed.seed!(Mv.Membership.Member, %{
email: "member@example.com",
first_name: "Test",
last_name: "User"
})
# Create user linked to member
user =
Ash.Seed.seed!(Mv.Accounts.User, %{
email: "member@example.com",
hashed_password: "dummy_hash",
oidc_id: nil,
member_id: member.id
})
# Link OIDC with new email
user_info = %{
"sub" => "oidc_sync_777",
"preferred_username" => "newemail@example.com"
}
{:ok, updated_user} =
Mv.Accounts.User
|> Ash.Query.filter(id == ^user.id)
|> Ash.read_one!()
|> Ash.Changeset.for_update(:link_oidc_id, %{
oidc_id: user_info["sub"],
oidc_user_info: user_info
})
|> Ash.update()
# Verify user email changed
assert to_string(updated_user.email) == "newemail@example.com"
# Verify member email was synced
{:ok, updated_member} = Ash.get(Mv.Membership.Member, member.id)
assert to_string(updated_member.email) == "newemail@example.com"
end
end
describe "Edge cases" do
@tag :test_proposal
test "user with empty string oidc_id is treated as password-only user" do
_user =
create_test_user(%{
email: "empty@example.com",
password: "password123",
oidc_id: ""
})
# Try OIDC registration with same email
user_info = %{
"sub" => "oidc_new_111",
"preferred_username" => "empty@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{}
})
# Should trigger PasswordVerificationRequired (empty string = no OIDC)
assert {:error, %Ash.Error.Invalid{errors: errors}} = result
password_error =
Enum.find(errors, fn err ->
err.__struct__ == Mv.Accounts.User.Errors.PasswordVerificationRequired
end)
assert password_error != nil
end
@tag :test_proposal
test "cannot link same oidc_id to multiple users" do
# User 1 with OIDC
_user1 =
create_test_user(%{
email: "user1@example.com",
oidc_id: "shared_oidc_333"
})
# Try to create user 2 with same OIDC ID using raw Ash.Changeset
# (create_test_user uses Ash.Seed which does upsert)
result =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "user2@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "shared_oidc_333")
|> Ash.create()
# Should fail due to unique constraint on oidc_id
assert match?({:error, %Ash.Error.Invalid{}}, result)
{:error, error} = result
# Verify the error is about oidc_id uniqueness
assert Enum.any?(error.errors, fn err ->
match?(%Ash.Error.Changes.InvalidAttribute{field: :oidc_id}, err)
end)
end
end
describe "OIDC login with passwordless user - Requires Linking Flow" do
test "user without password and without oidc_id triggers PasswordVerificationRequired" do
# Create user without password (e.g., invited user)
{:ok, existing_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "invited@example.com"
})
|> Ash.create()
# Verify user has no password and no oidc_id
assert is_nil(existing_user.hashed_password)
assert is_nil(existing_user.oidc_id)
# OIDC registration should trigger linking flow (not automatic)
user_info = %{
"sub" => "auto_link_oidc_123",
"preferred_username" => "invited@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail with PasswordVerificationRequired
# The LinkOidcAccountLive will auto-link without password prompt
assert {:error, %Ash.Error.Invalid{}} = result
{:error, error} = result
assert Enum.any?(error.errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
test "user without password but WITH password later requires verification" do
# Create user without password first
{:ok, user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "added-password@example.com"
})
|> Ash.create()
# User sets password later (using admin action)
{:ok, user_with_password} =
user
|> Ash.Changeset.for_update(:admin_set_password, %{
password: "newpassword123"
})
|> Ash.update()
assert not is_nil(user_with_password.hashed_password)
# Now OIDC login should require password verification
user_info = %{
"sub" => "needs_verification",
"preferred_username" => "added-password@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail with PasswordVerificationRequired
assert {:error, %Ash.Error.Invalid{}} = result
{:error, error} = result
assert Enum.any?(error.errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
end
describe "OIDC login with different oidc_id - Hard Error" do
test "user with different oidc_id cannot be linked (hard error)" do
# Create user with existing OIDC ID
{:ok, existing_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "already-linked@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "original_oidc_999")
|> Ash.create()
assert existing_user.oidc_id == "original_oidc_999"
# Try to register with same email but different OIDC ID
user_info = %{
"sub" => "different_oidc_888",
"preferred_username" => "already-linked@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail with hard error (not PasswordVerificationRequired)
assert {:error, %Ash.Error.Invalid{}} = result
{:error, error} = result
# Should NOT be PasswordVerificationRequired
refute Enum.any?(error.errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
# Should be a validation error about email already linked
assert Enum.any?(error.errors, fn err ->
case err do
%Ash.Error.Changes.InvalidAttribute{message: msg} ->
String.contains?(msg, "already linked to a different OIDC account")
_ ->
false
end
end)
end
test "cannot link different oidc_id even with password verification" do
# Create user with password AND existing OIDC ID
existing_user =
create_test_user(%{
email: "password-and-oidc@example.com",
password: "mypassword123",
oidc_id: "first_oidc_111"
})
assert existing_user.oidc_id == "first_oidc_111"
assert not is_nil(existing_user.hashed_password)
# Try to register with different OIDC ID
user_info = %{
"sub" => "second_oidc_222",
"preferred_username" => "password-and-oidc@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail - cannot link different OIDC ID
assert {:error, %Ash.Error.Invalid{}} = result
{:error, error} = result
# Should be a hard error, not password verification
refute Enum.any?(error.errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
end
end

210
test/mv_web/controllers/oidc_passwordless_linking_test.exs Normal file
View file

@ -0,0 +1,210 @@
defmodule MvWeb.OidcPasswordlessLinkingTest do
@moduledoc """
Tests for OIDC account linking with passwordless users.
These tests verify the behavior when a passwordless user
(e.g., invited user, user created by admin) attempts to log in via OIDC.
"""
use MvWeb.ConnCase, async: true
describe "Passwordless user - Automatic linking via special action" do
test "passwordless user can be linked via link_passwordless_oidc action" do
# Create user without password (e.g., invited user)
{:ok, existing_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "invited@example.com"
})
|> Ash.create()
# Verify user has no password and no oidc_id
assert is_nil(existing_user.hashed_password)
assert is_nil(existing_user.oidc_id)
# Link via special action (simulating what happens after first OIDC attempt)
{:ok, linked_user} =
existing_user
|> Ash.Changeset.for_update(:link_oidc_id, %{
oidc_id: "auto_link_oidc_123",
oidc_user_info: %{
"sub" => "auto_link_oidc_123",
"preferred_username" => "invited@example.com"
}
})
|> Ash.update()
# User should now have oidc_id linked
assert linked_user.oidc_id == "auto_link_oidc_123"
assert linked_user.id == existing_user.id
# Now OIDC sign-in should work
result =
Mv.Accounts.User
|> Ash.Query.for_read(:sign_in_with_rauthy, %{
user_info: %{
"sub" => "auto_link_oidc_123",
"preferred_username" => "invited@example.com"
},
oauth_tokens: %{"access_token" => "test_token"}
})
|> Ash.read_one()
assert {:ok, signed_in_user} = result
assert signed_in_user.id == existing_user.id
end
test "passwordless user triggers PasswordVerificationRequired for linking flow" do
# Create passwordless user
{:ok, existing_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "passwordless@example.com"
})
|> Ash.create()
assert is_nil(existing_user.hashed_password)
assert is_nil(existing_user.oidc_id)
# Try OIDC registration - should trigger PasswordVerificationRequired
user_info = %{
"sub" => "new_oidc_456",
"preferred_username" => "passwordless@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail with PasswordVerificationRequired
# LinkOidcAccountLive will auto-link without password prompt
assert {:error, %Ash.Error.Invalid{}} = result
{:error, error} = result
assert Enum.any?(error.errors, fn err ->
case err do
%Mv.Accounts.User.Errors.PasswordVerificationRequired{user_id: user_id} ->
user_id == existing_user.id
_ ->
false
end
end)
end
end
describe "User with different OIDC ID - Hard Error" do
test "user with different oidc_id gets hard error, not password verification" do
# Create user with existing OIDC ID
{:ok, _existing_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "already-linked@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "original_oidc_999")
|> Ash.create()
# Try to register with same email but different OIDC ID
user_info = %{
"sub" => "different_oidc_888",
"preferred_username" => "already-linked@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should fail with hard error
assert {:error, %Ash.Error.Invalid{}} = result
{:error, error} = result
# Should NOT be PasswordVerificationRequired
refute Enum.any?(error.errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
# Should have error message about already linked
assert Enum.any?(error.errors, fn err ->
case err do
%Ash.Error.Changes.InvalidAttribute{message: msg} ->
String.contains?(msg, "already linked to a different OIDC account")
_ ->
false
end
end)
end
test "passwordless user with different oidc_id also gets hard error" do
# Create passwordless user with OIDC ID
{:ok, existing_user} =
Mv.Accounts.User
|> Ash.Changeset.for_create(:create_user, %{
email: "passwordless-linked@example.com"
})
|> Ash.Changeset.force_change_attribute(:oidc_id, "first_oidc_777")
|> Ash.create()
assert is_nil(existing_user.hashed_password)
assert existing_user.oidc_id == "first_oidc_777"
# Try to register with different OIDC ID
user_info = %{
"sub" => "second_oidc_666",
"preferred_username" => "passwordless-linked@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should be hard error, not PasswordVerificationRequired
assert {:error, %Ash.Error.Invalid{}} = result
{:error, error} = result
refute Enum.any?(error.errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
end
describe "Password user - Requires verification (existing behavior)" do
test "password user without oidc_id requires password verification" do
# Create password user
password_user =
create_test_user(%{
email: "password@example.com",
password: "securepass123",
oidc_id: nil
})
assert not is_nil(password_user.hashed_password)
assert is_nil(password_user.oidc_id)
# Try OIDC registration
user_info = %{
"sub" => "new_oidc_999",
"preferred_username" => "password@example.com"
}
result =
Mv.Accounts.create_register_with_rauthy(%{
user_info: user_info,
oauth_tokens: %{"access_token" => "test_token"}
})
# Should require password verification
assert {:error, %Ash.Error.Invalid{}} = result
{:error, error} = result
assert Enum.any?(error.errors, fn err ->
match?(%Mv.Accounts.User.Errors.PasswordVerificationRequired{}, err)
end)
end
end
end