deprecate AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING option and always enable it

brendan-kellam · brendan-kellam · commit a2d29f2ab5a2 · 2026-02-25T20:13:15.000-08:00
diff --git a/docs/docs/configuration/environment-variables.mdx b/docs/docs/configuration/environment-variables.mdx
@@ -45,7 +45,6 @@ The following environment variables allow you to configure your Sourcebot deploy
 | `AUTH_EE_GCP_IAP_ENABLED` | `false` | <p>When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect</p> |
 | `AUTH_EE_GCP_IAP_AUDIENCE` | - | <p>The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning</p> | 
 | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` | <p>Enables [permission syncing](/docs/features/permission-syncing).</p> |
-| `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `false` | <p>When enabled, different SSO accounts with the same email address will automatically be linked.</p> |
 
 
 ### Review Agent Environment Variables
diff --git a/packages/shared/src/env.server.ts b/packages/shared/src/env.server.ts
@@ -140,11 +140,6 @@ export const env = createEnv({
         AUTH_CREDENTIALS_LOGIN_ENABLED: booleanSchema.default('true'),
         AUTH_EMAIL_CODE_LOGIN_ENABLED: booleanSchema.default('false'),
 
-        // Enterprise Auth
-        AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING:
-            booleanSchema
-            .default('false')
-            .describe('When enabled, different SSO accounts with the same email address will automatically be linked.'),
 
         AUTH_EE_GCP_IAP_ENABLED: booleanSchema.default('false'),
         AUTH_EE_GCP_IAP_AUDIENCE: z.string().optional(),
@@ -289,6 +284,15 @@ export const env = createEnv({
 
         //// DEPRECATED ////
 
+
+        /**
+         * @deprecated This setting is deprecated. Email account linking is now always enabled.
+         */
+        AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING:
+            booleanSchema
+            .default('false')
+            .describe('This setting is deprecated. Email account linking is now always enabled.'),
+
         /**
          * @deprecated This setting is deprecated. Please use the `identityProviders` section of the config file instead.
          */
diff --git a/packages/web/src/ee/features/sso/sso.ts b/packages/web/src/ee/features/sso/sso.ts
@@ -156,7 +156,7 @@ const createGitHubProvider = (clientId: string, clientSecret: string, baseUrl?:
                 ].join(' '),
             },
         },
-        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -187,7 +187,7 @@ const createGitLabProvider = (clientId: string, clientSecret: string, baseUrl?:
         userinfo: {
             url: `${url}/api/v4/user`,
         },
-        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -196,7 +196,7 @@ const createGoogleProvider = (clientId: string, clientSecret: string): Provider
         id: 'google' satisfies IdentityProviderType,
         clientId: clientId,
         clientSecret: clientSecret,
-        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -206,7 +206,7 @@ const createOktaProvider = (clientId: string, clientSecret: string, issuer: stri
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
-        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -216,7 +216,7 @@ const createKeycloakProvider = (clientId: string, clientSecret: string, issuer:
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
-        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -226,7 +226,7 @@ const createMicrosoftEntraIDProvider = (clientId: string, clientSecret: string,
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
-        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -249,7 +249,7 @@ const createBitbucketCloudProvider = (clientId: string, clientSecret: string): P
                 ].join(' '),
             },
         },
-        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -317,7 +317,7 @@ const createBitbucketServerProvider = (clientId: string, clientSecret: string, b
                 image: null,
             };
         },
-        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+        allowDangerousEmailAccountLinking: true,
     } as Provider;
 }
 
@@ -327,7 +327,7 @@ export const createAuthentikProvider = (clientId: string, clientSecret: string,
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
-        allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
