fix(storage): prevent order-dependent org fallback account binding

ndycode · ndycode · commit 0552fbf69f59 · 2026-02-28T02:13:18.000+08:00
diff --git a/lib/storage.ts b/lib/storage.ts
@@ -461,6 +461,12 @@ function deduplicateAccountsByRefreshToken<T extends AccountLike>(accounts: T[])
         remainingFallbacks.push(fallbackIndex);
         continue;
       }
+      const preferredAccountId = getAccountIdKey(currentPreferred);
+      const sourceAccountId = getAccountIdKey(source);
+      if (!preferredAccountId && sourceAccountId) {
+        remainingFallbacks.push(fallbackIndex);
+        continue;
+      }
 
       if (!canMergeByRefreshToken(currentPreferred, source)) {
         remainingFallbacks.push(fallbackIndex);
diff --git a/test/storage.test.ts b/test/storage.test.ts
@@ -1077,6 +1077,39 @@ describe("storage", () => {
       expect(result?.accounts.map((account) => account.organizationId).sort()).toEqual(["org-1", "org-2"]);
     });
 
+    it("does not bind org-scoped entry with empty accountId to fallback accountId based on order", () => {
+      const firstOrder = normalizeAccountStorage({
+        version: 3,
+        activeIndex: 0,
+        accounts: [
+          { organizationId: "org-1", refreshToken: "shared-refresh", addedAt: 1, lastUsed: 1 },
+          { accountId: "workspace-a", refreshToken: "shared-refresh", addedAt: 2, lastUsed: 2 },
+          { accountId: "workspace-b", refreshToken: "shared-refresh", addedAt: 3, lastUsed: 3 },
+        ],
+      });
+      const secondOrder = normalizeAccountStorage({
+        version: 3,
+        activeIndex: 0,
+        accounts: [
+          { organizationId: "org-1", refreshToken: "shared-refresh", addedAt: 1, lastUsed: 1 },
+          { accountId: "workspace-b", refreshToken: "shared-refresh", addedAt: 2, lastUsed: 2 },
+          { accountId: "workspace-a", refreshToken: "shared-refresh", addedAt: 3, lastUsed: 3 },
+        ],
+      });
+
+      for (const normalized of [firstOrder, secondOrder]) {
+        expect(normalized?.accounts).toHaveLength(3);
+        const orgScoped = normalized?.accounts.find((account) => account.organizationId === "org-1");
+        expect(orgScoped).toBeDefined();
+        expect(orgScoped?.accountId).toBeUndefined();
+        const noOrgAccountIds = normalized?.accounts
+          .filter((account) => !account.organizationId)
+          .map((account) => account.accountId)
+          .sort();
+        expect(noOrgAccountIds).toEqual(["workspace-a", "workspace-b"]);
+      }
+    });
+
     it("retains legacy no-organization dedupe semantics", () => {
       const data = {
         version: 3,
