Shouldn't account linking with verified emails be possible?

[kian-karazmoudeh]

Question 💬

Hi. I have a web app which uses the email provider and the google provider. However as I've come to notice, due to the possibility of account hijacking, we cant link these two accounts.

My question consists of 2 parts:

1. Why does google provider not set emailVerified in Database? I believe all emails are verified on google account creation.
2. If all google accounts have a verified email, shouldnt it be safe to link them?

How to reproduce ☕️

All google account emails are verified: Link

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[iaincollins]

This comes down to if you trust the oAuth provider. Google actually return a property on the profile indicating if the email on an account has been verified or not, which suggests there are instances where actually they may not be (although that just might be for edge cases / legacy scenarios).

The behaviour is provider specific and theoretically subjective as to if you choose to trust a provider, and depends on what they mean by verified (e.g. if they reset the verified email status when a user changes their email address associated with the account).

Basically it's messy and from the point of view of a library might be best to play it safe and not make assumptions - or get involved in making too many subjective decisions about providers and if they should allow specific behaviour or not. The counterargument is it convenience and that in practice it's probably fine to trust Google or a large provider (Twitter, Facebook, Apple) when they say they have verified an argument, the question is where to draw that line.

I am not 100% certain because I can't remember without looking the order Events are fired in, but I think as it stands you could actually use an Event to set the verified value to true in the database for a user when they sign in for the first time if you wanted to.

IMO it probably is best to leave this up to people to determine for themselves.

Possibly there are ways to make handling situations like easier though.

[bryanrsmith]

Seems like emailVerified is explicitly set to null when creating the new user in 4.0.0-beta.7, ignoring the value returned by the provider: https://github.com/nextauthjs/next-auth/blob/v4.0.0-beta.7/src/core/lib/callback-handler.ts#L201

[balazsorban44]

If I recall @iaincollins correctly, some providers are very generously setting the verified status on their side. Because of this, we always initialize with null. To verify an email, you can use the Email Provider.

This means my previous comment at #3171 (reply in thread) isn't actually true, sorry. It wouldn't make sense if you could manually override this, we will need the user to be involved in the verification process.

[kian-karazmoudeh]

I was hoping that by manually setting emailVerified I would be able to automatically link google/email accounts. Is there any other way i can go about doing this?

[balazsorban44]

Setting it manually might not make sense. Verifying the e-mail should go through the user actually visiting their e-mail service and clicking the button.

As said:

To verify an email, you can use the Email Provider.

[ramiel]

Hello. I tried this: after the user tries to login with a social account and an OAuthAccountNotLinked is returned, I let them complete the flow with the email, to verify it. Is the social account meant to be linked now? Because it's not