chore: Add logging in next-auth

[joeauyeung]

What does this PR do?

Example of log

@calcom/web:dev: 23:09:51:886 [ERROR] next-auth-options Userid [email protected] trying to login with the wrong provider {
@calcom/web:dev:   userId: '[email protected]',
@calcom/web:dev:   account: {
@calcom/web:dev:     providerAccountId: '[email protected]',
@calcom/web:dev:     type: 'credentials',
@calcom/web:dev:     provider: 'saml-idp'
@calcom/web:dev:   }
@calcom/web:dev: }

• Fixes #XXXX (GitHub issue number)
• Fixes CAL-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

• Show screen recordings of the issue or feature.
• Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

• Add side-by-side screenshots of the original and updated change.
• Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Are there environment variables that should be set?
• What are the minimal test data to have?
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

---

Summary by cubic

Added error logging in next-auth when a user signs in with the wrong identity provider, including a specific log for accounts that already exist with CAL. Logs userId and account details to help diagnose mismatched provider issues.

^{Written for commit 1ceddfc. Summary will update on new commits.}

[github-actions]

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "Add logging in next-auth". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/features/auth/lib/next-auth-options.ts">

<violation number="1" location="packages/features/auth/lib/next-auth-options.ts:1067">
P1: Rule violated: **Avoid Logging Sensitive Information**

This log statement exposes PII (email addresses) in plain text. The `user.id` and `providerAccountId` can contain email addresses as shown in the PR description example. Use `hashEmail()` (already imported in this file) to anonymize these values before logging.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
cal	Ignored		Jan 2, 2026 11:17pm
cal-companion	Ignored	Preview	Jan 2, 2026 11:17pm
cal-eu	Ignored		Jan 2, 2026 11:17pm

[cubic-dev-ai]

2 issues found across 1 file (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/features/auth/lib/next-auth-options.ts">

<violation number="1" location="packages/features/auth/lib/next-auth-options.ts:1041">
P2: This `log.error` is in unreachable code. The preceding `if` block already handles all cases where `identityProvider === IdentityProvider.CAL` because `idP` (from `mapIdentityProvider`) is always either `GOOGLE` or `SAML`. This else-if branch will never execute.

This appears to be a pre-existing dead code issue. If you want to log when a CAL user tries to login with a different provider but conversion fails, the log should be added inside the preceding `if` block after validation failures.</violation>

<violation number="2" location="packages/features/auth/lib/next-auth-options.ts:1041">
P1: Rule violated: **Avoid Logging Sensitive Information**

Logging `user.id` exposes user email addresses (PII) in logs. Consider using a hashed version of the email or a non-PII identifier. The codebase already has `hashEmail` from `@calcom/lib/server/PiiHasher` available for this purpose.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}