fix: mismatched account.providerAccountId (#9932)

* fix: remove unnecessary /signout appending to signout form action URL

* fix: use actual user.id from provider as providerAccountId

* fix: add regression test

* fix: typescript issue, profile.id should always be set

* fix: fallback to randomUUID if provider doesn't return a user.id

* fix: add internal jsdoc on exported fn

* Discard changes to packages/core/src/lib/pages/signout.tsx

Author: ndom91

packages/core/src/lib/actions/callback/oauth/callback.ts

@@ -186,8 +186,11 @@ export async function handleOAuth(
   return { ...profileResult, profile, cookies: resCookies }
 }
 
-/** Returns the user and account that is going to be created in the database. */
-async function getUserAndAccount(
+/**
+ * Returns the user and account that is going to be created in the database.
+ * @internal
+ */
+export async function getUserAndAccount(
   OAuthProfile: Profile,
   provider: OAuthConfigInternal<any>,
   tokens: TokenSet,
@@ -207,7 +210,7 @@ async function getUserAndAccount(
         ...tokens,
         provider: provider.id,
         type: provider.type,
-        providerAccountId: user.id.toString(),
+        providerAccountId: userFromProfile.id ?? crypto.randomUUID(),
       },
     }
   } catch (e) {

packages/core/test/authorize.test.ts

@@ -2,6 +2,8 @@ import { describe, expect, it, vi, beforeEach } from "vitest"
 import { Auth, AuthConfig, skipCSRFCheck } from "../src"
 import { Adapter } from "../src/adapters"
 import SendGrid from "../src/providers/sendgrid"
+import { getUserAndAccount } from "../src/lib/actions/callback/oauth/callback"
+import { getUserAndAccountArgs } from "./fixtures/oauth-callback.ts"
 
 const mockAdapter: Adapter = {
   createVerificationToken: vi.fn(),
@@ -67,6 +69,30 @@ describe("auth via callbacks.signIn", () => {
     })
   })
 
+  describe("oauth callback", () => {
+    it("should build the correct user object", async () => {
+      const { profile, provider, tokens, logger } = getUserAndAccountArgs
+      const profileResult = await getUserAndAccount(
+        profile,
+        provider,
+        tokens,
+        logger
+      )
+
+      expect(profileResult?.account.type).toBe("oauth")
+      expect(profileResult?.account.provider).toBe("github")
+      expect(profileResult?.account.providerAccountId).toBe("abc")
+      expect(profileResult?.user.email).toBe("[email protected]")
+
+      // Test 'user.id' is a valid UUIDv4 from `crypto.randomUUID()`
+      expect(
+        profileResult?.user.id.match(
+          /^[0-9A-F]{8}-[0-9A-F]{4}-[4][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i
+        )?.[0]
+      ).toBe(profileResult?.user.id)
+    })
+  })
+
   // TODO: We need an OAuth provider to test against
   describe.todo("redirect in oauth", () => {})
 })

packages/core/test/fixtures/oauth-callback.ts

@@ -0,0 +1,76 @@
+const userProfile = {
+  id: "abc",
+  name: "Fill Murray",
+  email: "[email protected]",
+  image: "https://source.boringavatars.com/marble",
+}
+
+export const getUserAndAccountArgs = {
+  profile: {
+    login: "fmurray",
+    id: 7415983,
+    node_id: "aDn61Xa3cjk0MT05gDQ=",
+    gravatar_id: "",
+    type: "User",
+    site_admin: false,
+    name: "Fill Murray",
+    company: null,
+    email: "[email protected]",
+    hireable: null,
+    bio: "CEO of HTMX",
+    twitter_username: "",
+    public_repos: 146,
+    public_gists: 39,
+    followers: 314,
+    following: 86,
+    created_at: "2014-04-26T19:35:49Z",
+    updated_at: "2024-01-27T20:46:58Z",
+    private_gists: 19,
+    total_private_repos: 20,
+    owned_private_repos: 20,
+    disk_usage: 768655,
+    collaborators: 6,
+    two_factor_authentication: true,
+    plan: {
+      name: "free",
+      space: 976562499,
+      collaborators: 0,
+      private_repos: 10000,
+    },
+  },
+  provider: {
+    id: "github",
+    name: "GitHub",
+    type: "oauth" as const,
+    authorization: {
+      url: new URL("https://google.com"),
+      request: undefined,
+      conform: undefined,
+    },
+    token: { url: new URL("https://google.com") },
+    userinfo: {
+      url: new URL("https://google.com"),
+      // request: async () => {},
+      conform: undefined,
+    },
+    profile: () => userProfile,
+    style: { logo: "/github.svg", bg: "#24292f", text: "#fff" },
+    clientId: "abc",
+    clientSecret: "abc",
+    signinUrl: "http://localhost:3000/api/auth/signin/github",
+    callbackUrl: "http://localhost:3000/api/auth/callback/github",
+    redirectProxyUrl: undefined,
+    checks: ["pkce" as const],
+    account: () => {},
+  },
+  tokens: {
+    access_token: "gho_abc",
+    token_type: "bearer" as const,
+    scope: "read:user,user:email",
+  },
+  logger: {
+    error: (error: Error) => console.error(error),
+    warn: (error: string) => console.warn(error),
+    debug: (error: string) => console.debug(error),
+  },
+}