Skip to content

core: oauth: allow multiple ids #1142

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
undefined-moe merged 1 commit into from
Apr 8, 2026
Merged

core: oauth: allow multiple ids #1142

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions packages/hydrooj/src/handler/user.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -467,26 +467,27 @@ class OauthCallbackHandler extends Handler {
if (!provider) throw new UserFacingError('Oauth type');
await this.limitRate('oauth_callback', 60, 5);
const r = await provider.callback.call(this, args);
const ids = Array.isArray(r._id) ? r._id : [r._id];
const existing = await Promise.all(ids.map((id) => this.ctx.oauth.get(args.type, id)));
if (this.session.oauthBind === args.type) {
delete this.session.oauthBind;
const existing = await this.ctx.oauth.get(args.type, r._id);
if (existing && existing !== this.user._id) {
if (existing.some((id) => id && id !== this.user._id)) {
throw new BadRequestError('Already binded to another account');
}
this.response.redirect = '/home/security';
if (existing !== this.user._id) await this.ctx.oauth.set(args.type, r._id, this.user._id);
await Promise.all(ids.map((i) => this.ctx.oauth.set(args.type, i, this.user._id)));
return;
}
const effective = existing.find((i) => i);

const uid = await this.ctx.oauth.get(args.type, r._id);
if (uid) {
await successfulAuth.call(this, await user.getById('system', uid));
if (effective) {
await successfulAuth.call(this, await user.getById('system', effective));
this.response.redirect = '/';
Comment on lines +470 to 485

@coderabbitai coderabbitai Bot Apr 2, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Fail closed when the candidate ids map to different users.

Line 481 picks the first truthy uid from existing. If two returned ids are already bound to different Hydro accounts, provider order decides which account gets logged in. Require all non-null bindings to collapse to a single uid before calling successfulAuth.

🔒 Suggested guard 
         if (this.session.oauthBind === args.type) {
             delete this.session.oauthBind;
-            if (existing.some((id) => id && id !== this.user._id)) {
+            if (existing.some((uid) => uid !== null && uid !== this.user._id)) {
                 throw new BadRequestError('Already binded to another account');
             }
             this.response.redirect = '/home/security';
             await Promise.all(ids.map((i) => this.ctx.oauth.set(args.type, i, this.user._id)));
             return;
         }
-        const effective = existing.find((i) => i);
+        const boundUids = [...new Set(existing.filter((uid): uid is number => uid !== null))];
+        if (boundUids.length > 1) {
+            throw new BadRequestError('OAuth ids are bound to multiple accounts');
+        }
+        const effective = boundUids[0];
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const ids = Array.isArray(r._id) ? r._id : [r._id];
const existing = await Promise.all(ids.map((id) => this.ctx.oauth.get(args.type, id)));
if (this.session.oauthBind === args.type) {
delete this.session.oauthBind;
const existing = await this.ctx.oauth.get(args.type, r._id);
if (existing && existing !== this.user._id) {
if (existing.some((id) => id && id !== this.user._id)) {
throw new BadRequestError('Already binded to another account');
}
this.response.redirect = '/home/security';
if (existing !== this.user._id) await this.ctx.oauth.set(args.type, r._id, this.user._id);
await Promise.all(ids.map((i) => this.ctx.oauth.set(args.type, i, this.user._id)));
return;
}
const effective = existing.find((i) => i);
const uid = await this.ctx.oauth.get(args.type, r._id);
if (uid) {
await successfulAuth.call(this, await user.getById('system', uid));
if (effective) {
await successfulAuth.call(this, await user.getById('system', effective));
this.response.redirect = '/';
const ids = Array.isArray(r._id) ? r._id : [r._id];
const existing = await Promise.all(ids.map((id) => this.ctx.oauth.get(args.type, id)));
if (this.session.oauthBind === args.type) {
delete this.session.oauthBind;
if (existing.some((uid) => uid !== null && uid !== this.user._id)) {
throw new BadRequestError('Already binded to another account');
}
this.response.redirect = '/home/security';
await Promise.all(ids.map((i) => this.ctx.oauth.set(args.type, i, this.user._id)));
return;
}
const boundUids = [...new Set(existing.filter((uid): uid is number => uid !== null))];
if (boundUids.length > 1) {
throw new BadRequestError('OAuth ids are bound to multiple accounts');
}
const effective = boundUids[0];
if (effective) {
await successfulAuth.call(this, await user.getById('system', effective));
this.response.redirect = '/';
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@packages/hydrooj/src/handler/user.ts` around lines 470 - 485, The code
currently picks the first truthy UID from existing and logs in that account;
instead, ensure all non-null entries in existing refer to the same UID before
calling successfulAuth. Change the logic around existing/effective: collect
unique non-null UIDs from existing (from this.ctx.oauth.get results), if more
than one throw BadRequestError('OAuth identities already bound to different
accounts'), if exactly one use that UID as effective and call
successfulAuth(await user.getById('system', effective)), otherwise proceed as
before; keep the oauth set flow (this.ctx.oauth.set) unchanged.

return;
}
const udoc = await user.getByEmail('system', r.email);
if (udoc) {
await this.ctx.oauth.set(args.type, r._id, udoc._id);
await Promise.all(ids.map((i) => this.ctx.oauth.set(args.type, i, udoc._id)));
await successfulAuth.call(this, udoc);
this.response.redirect = '/';
return;
Expand Down
2 changes: 1 addition & 1 deletion packages/hydrooj/src/model/oauth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ declare module '../context' {
}

export interface OAuthUserResponse {
_id: string;
_id: string | string[];
email: string;
avatar?: string;
bio?: string;
Expand Down
Loading