diff --git a/packages/backend/server/src/modules/auth/next-auth-options.ts b/packages/backend/server/src/modules/auth/next-auth-options.ts index 308fd25299..5e0317b508 100644 --- a/packages/backend/server/src/modules/auth/next-auth-options.ts +++ b/packages/backend/server/src/modules/auth/next-auth-options.ts @@ -23,6 +23,8 @@ import { export const NextAuthOptionsProvide = Symbol('NextAuthOptions'); +const TrustedProviders = ['google']; + export const NextAuthOptionsProvider: FactoryProvider = { provide: NextAuthOptionsProvide, useFactory( @@ -51,6 +53,23 @@ export const NextAuthOptionsProvider: FactoryProvider = { } return createUser(userData); }; + // linkAccount exists in the adapter + // eslint-disable-next-line @typescript-eslint/no-non-null-assertion + const linkAccount = prismaAdapter.linkAccount!.bind(prismaAdapter); + prismaAdapter.linkAccount = async account => { + // google account must be a verified email + if (TrustedProviders.includes(account.provider)) { + await prisma.user.update({ + where: { + id: account.userId, + }, + data: { + emailVerified: new Date(), + }, + }); + } + return linkAccount(account) as Promise; + }; // getUser exists in the adapter // eslint-disable-next-line @typescript-eslint/no-non-null-assertion const getUser = prismaAdapter.getUser!.bind(prismaAdapter)!; diff --git a/packages/backend/server/src/modules/auth/resolver.ts b/packages/backend/server/src/modules/auth/resolver.ts index 27bf40a82c..680d0a37ec 100644 --- a/packages/backend/server/src/modules/auth/resolver.ts +++ b/packages/backend/server/src/modules/auth/resolver.ts @@ -135,9 +135,17 @@ export class AuthResolver { @Args('token') token: string, @Args('newPassword') newPassword: string ) { - // we only create user account after user sign in with email link const id = await this.session.get(token); - if (!id || id !== user.id || !user.emailVerified) { + if (!user.emailVerified) { + throw new ForbiddenException('Please verify the email first'); + } + if ( + !id || + (id !== user.id && + // change password after sign in with email link + // we only create user account after user sign in with email link + id !== user.email) + ) { throw new ForbiddenException('Invalid token'); }