wip

Author: brendan-kellam

packages/shared/src/env.server.ts

@@ -138,8 +138,14 @@ export const env = createEnv({
         AUTH_URL: z.string().url(),
         AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.default('true'),
         AUTH_EMAIL_CODE_LOGIN_ENABLED: booleanSchema.default('false'),
-
+        
         // Enterprise Auth
+
+        AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING:
+            booleanSchema
+            .default('false')
+            .describe('When enabled, different SSO accounts with the same email address will automatically be linked.'),
+
         AUTH_EE_GITHUB_CLIENT_ID: z.string().optional(),
         AUTH_EE_GITHUB_CLIENT_SECRET: z.string().optional(),
         AUTH_EE_GITHUB_BASE_URL: z.string().optional(),

packages/web/src/ee/features/sso/sso.ts

@@ -139,6 +139,7 @@ const createGitHubProvider = (clientId: string, clientSecret: string, baseUrl?:
                 ].join(' '),
             },
         },
+        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
     });
 }
 
@@ -168,13 +169,15 @@ const createGitLabProvider = (clientId: string, clientSecret: string, baseUrl?:
         userinfo: {
             url: `${url}/api/v4/user`,
         },
+        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
     });
 }
 
 const createGoogleProvider = (clientId: string, clientSecret: string): Provider => {
     return Google({
         clientId: clientId,
         clientSecret: clientSecret,
+        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
     });
 }
 
@@ -183,6 +186,7 @@ const createOktaProvider = (clientId: string, clientSecret: string, issuer: stri
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
+        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
     });
 }
 
@@ -191,6 +195,7 @@ const createKeycloakProvider = (clientId: string, clientSecret: string, issuer:
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
+        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
     });
 }
 
@@ -199,6 +204,16 @@ const createMicrosoftEntraIDProvider = (clientId: string, clientSecret: string,
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
+        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+    });
+}
+
+export const createAuthentikProvider = (clientId: string, clientSecret: string, issuer: string): Provider => {
+    return Authentik({
+        clientId: clientId,
+        clientSecret: clientSecret,
+        issuer: issuer,
+        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
     });
 }
 
@@ -207,7 +222,7 @@ const createGCPIAPProvider = (audience: string): Provider => {
         id: "gcp-iap",
         name: "Google Cloud IAP",
         credentials: {},
-        authorize: async (credentials, req) => {
+        authorize: async (_credentials, req) => {
             try {
                 const iapAssertion = req.headers?.get("x-goog-iap-jwt-assertion");
                 if (!iapAssertion || typeof iapAssertion !== "string") {
@@ -277,11 +292,3 @@ const createGCPIAPProvider = (audience: string): Provider => {
         },
     });
 }
-
-export const createAuthentikProvider = (clientId: string, clientSecret: string, issuer: string): Provider => {
-    return Authentik({
-        clientId: clientId,
-        clientSecret: clientSecret,
-        issuer: issuer,
-    });
-}