Users that registered with email/password cannot log in with Google OAuth

[alexolmedo]

What happened?

Users who originally registered with email/password (provider: local) cannot later log in with Google OAuth, even if they use the same email address.

When they attempt to sign in with Google, authentication fails with the error:

Token is not present. User is not authenticated.

This issue was introduced in commit: 1ccac58

Expected behavior

If a user signs in with Google using the same verified email address they registered with, they should either:

• Be allowed to log in successfully, OR
• Be prompted/migrated to update their account provider from "local" to "google" (instead of failing).

Version Information

docker images | grep librechat
ghcr.io/danny-avila/librechat-dev-api            latest          b556d1b5eaf5   4 hours ago     1.26GB
ghcr.io/danny-avila/librechat-rag-api-dev-lite   latest          adcc4579f616   15 months ago   1.86GB
ghcr.io/danny-avila/librechat-api                latest          4aa1c92ff166   16 months ago   1.73GB

Steps to Reproduce

1. Register a new user using email/password.
2. Log out.
3. Disable email/password login in your environment (so Google is the only login option).
4. Attempt to log in with Google OAuth using the same email address.
5. Authentication hard-fails with AUTH_FAILED.

What browsers are you seeing the problem on?

Chrome

Relevant log output

Token is not present. User is not authenticated.

Screenshots

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[alexolmedo]

Use case:
An admin initially sets up their account with email/password during early setup.
Later, they move the org to Google authentication and disable email/password logins to go live.

With the current provider validation, that admin can no longer log in at all — there’s no migration or linking path, just a hard failure.

[danny-avila]

This is intentional after this was patched: #8999

Reason: #8980

To fix this, you have to edit the user's provider field in the database to google

You can use the Mongo MCP server with LibreChat to help you:

# librechat.yaml
  mongodb:
    startup: false
    command: "npx"
    args:
      - "-y"
      - "mongodb-mcp-server"
    env:
      MDB_MCP_CONNECTION_STRING: "${MDB_MCP_CONNECTION_STRING}"

# .env
MDB_MCP_CONNECTION_STRING=your_connection_string

[alexolmedo]

Editing the provider field isn't sufficient. My guess is it still expects a googleId.

I had to completely remove the ADMIN user, log in with Google again to obtain the Google ID, and then restore the deleted user. This is all very poor UX.

As the ADMIN, LibreChat is hard-locked for me. I couldn't even access the Mongo MCP server to make these changes.