101 lines
3 KiB
Elixir
101 lines
3 KiB
Elixir
defmodule Mv.Accounts.User.Validations.OidcEmailCollision do
|
|
@moduledoc """
|
|
Validation that checks for email collisions during OIDC registration.
|
|
|
|
This validation prevents OIDC accounts from automatically taking over existing
|
|
password-only accounts. Instead, it requires password verification.
|
|
|
|
## Scenarios:
|
|
|
|
1. **User exists with matching oidc_id**:
|
|
- Allow (upsert will update the existing user)
|
|
|
|
2. **User exists with email but NO oidc_id (or empty string)**:
|
|
- Raise PasswordVerificationRequired error
|
|
- User must verify password before linking
|
|
|
|
3. **User exists with email AND different oidc_id**:
|
|
- Raise PasswordVerificationRequired error
|
|
- This prevents linking different OIDC providers to same account
|
|
|
|
4. **No user exists with this email**:
|
|
- Allow (new user will be created)
|
|
"""
|
|
use Ash.Resource.Validation
|
|
|
|
alias Mv.Accounts.User.Errors.PasswordVerificationRequired
|
|
|
|
@impl true
|
|
def init(opts), do: {:ok, opts}
|
|
|
|
@impl true
|
|
def validate(changeset, _opts, _context) do
|
|
# Get the email and oidc_id from the changeset
|
|
email = Ash.Changeset.get_attribute(changeset, :email)
|
|
oidc_id = Ash.Changeset.get_attribute(changeset, :oidc_id)
|
|
user_info = Ash.Changeset.get_argument(changeset, :user_info)
|
|
|
|
# Only validate if we have both email and oidc_id (from OIDC registration)
|
|
if email && oidc_id && user_info do
|
|
check_email_collision(email, oidc_id, user_info)
|
|
else
|
|
:ok
|
|
end
|
|
end
|
|
|
|
defp check_email_collision(email, new_oidc_id, user_info) do
|
|
# Find existing user with this email
|
|
case Mv.Accounts.User
|
|
|> Ash.Query.filter(email == ^to_string(email))
|
|
|> Ash.read_one() do
|
|
{:ok, nil} ->
|
|
# No user exists with this email - OK to create new user
|
|
:ok
|
|
|
|
{:ok, existing_user} ->
|
|
# User exists - check oidc_id
|
|
handle_existing_user(existing_user, new_oidc_id, user_info)
|
|
|
|
{:error, error} ->
|
|
# Database error
|
|
{:error, field: :email, message: "Could not verify email uniqueness: #{inspect(error)}"}
|
|
end
|
|
end
|
|
|
|
defp handle_existing_user(existing_user, new_oidc_id, user_info) do
|
|
existing_oidc_id = existing_user.oidc_id
|
|
|
|
cond do
|
|
# Case 1: Same oidc_id - this is an upsert, allow it
|
|
existing_oidc_id == new_oidc_id ->
|
|
:ok
|
|
|
|
# Case 2: No oidc_id set (nil or empty string) - password-only user
|
|
is_nil(existing_oidc_id) or existing_oidc_id == "" ->
|
|
{:error,
|
|
PasswordVerificationRequired.exception(
|
|
user_id: existing_user.id,
|
|
oidc_user_info: user_info
|
|
)}
|
|
|
|
# Case 3: Different oidc_id - account conflict
|
|
true ->
|
|
{:error,
|
|
PasswordVerificationRequired.exception(
|
|
user_id: existing_user.id,
|
|
oidc_user_info: user_info
|
|
)}
|
|
end
|
|
end
|
|
|
|
@impl true
|
|
def atomic?(), do: false
|
|
|
|
@impl true
|
|
def describe(_opts) do
|
|
[
|
|
message: "OIDC email collision detected",
|
|
vars: []
|
|
]
|
|
end
|
|
end
|