@@ -467,26 +467,27 @@ class OauthCallbackHandler extends Handler {
467467 if ( ! provider ) throw new UserFacingError ( 'Oauth type' ) ;
468468 await this . limitRate ( 'oauth_callback' , 60 , 5 ) ;
469469 const r = await provider . callback . call ( this , args ) ;
470+ const ids = Array . isArray ( r . _id ) ? r . _id : [ r . _id ] ;
471+ const existing = await Promise . all ( ids . map ( ( id ) => this . ctx . oauth . get ( args . type , id ) ) ) ;
470472 if ( this . session . oauthBind === args . type ) {
471473 delete this . session . oauthBind ;
472- const existing = await this . ctx . oauth . get ( args . type , r . _id ) ;
473- if ( existing && existing !== this . user . _id ) {
474+ if ( existing . some ( ( id ) => id && id !== this . user . _id ) ) {
474475 throw new BadRequestError ( 'Already binded to another account' ) ;
475476 }
476477 this . response . redirect = '/home/security' ;
477- if ( existing !== this . user . _id ) await this . ctx . oauth . set ( args . type , r . _id , this . user . _id ) ;
478+ await Promise . all ( ids . map ( ( i ) => this . ctx . oauth . set ( args . type , i , this . user . _id ) ) ) ;
478479 return ;
479480 }
481+ const effective = existing . find ( ( i ) => i ) ;
480482
481- const uid = await this . ctx . oauth . get ( args . type , r . _id ) ;
482- if ( uid ) {
483- await successfulAuth . call ( this , await user . getById ( 'system' , uid ) ) ;
483+ if ( effective ) {
484+ await successfulAuth . call ( this , await user . getById ( 'system' , effective ) ) ;
484485 this . response . redirect = '/' ;
485486 return ;
486487 }
487488 const udoc = await user . getByEmail ( 'system' , r . email ) ;
488489 if ( udoc ) {
489- await this . ctx . oauth . set ( args . type , r . _id , udoc . _id ) ;
490+ await Promise . all ( ids . map ( ( i ) => this . ctx . oauth . set ( args . type , i , udoc . _id ) ) ) ;
490491 await successfulAuth . call ( this , udoc ) ;
491492 this . response . redirect = '/' ;
492493 return ;
0 commit comments