After signing in with Facebook session loads Google user

[kwiat1990]

Question 💬

Hi, I have two providers: Facebook and Google connected to Strapi CMS. I used Google with two different users and Facebook with one user, which has the same e-mail as one of Google's users. In Strapi all users were correctly saved.
Then in my frontend if I sign in using Google provider, I get the correct user. Everything works just fine. But with Facebook provider the session loads every time the wrong user and every time it's the one, which has the different email and has no Facebook account at all. I have tried to log in and log out with all the users in the different order but the results are all the time the same.

I test it in development mode.

In Strapi I have this user:

// Google
Foo | [email protected]
Bar | [email protected]
// Facebook
Fiz | [email protected]

What's a bit odd is the fact that in debug mode I can see that Oauth gets the correct Facebook user but at the same time if I console log user and account Objects from the jwt callback, then I get the incorrect user and token (Bar | [email protected]) and the correct account (Fiz | foo.gmail.com)

Nextauth optios look like this:

const options = (
  req: NextApiRequest,
  res: NextApiResponse
): NextAuthOptions => {
  return {
    secret: process.env.AUTH_SECRET,
    adapter: TypeORMLegacyAdapter(process.env.DATABASE_URL!),
    debug: process.env.NODE_ENV === "development",
    session: {
      strategy: "jwt",
    },
    providers: [
      FacebookProvider({
        clientId: process.env.FACEBOOK_CLIENT_ID!,
        clientSecret: process.env.FACEBOOK_CLIENT_SECRET!,
      }),
      GoogleProvider({
        clientId: process.env.GOOGLE_CLIENT_ID!,
        clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      }),
    ],
    callbacks: {
      async jwt({ token, user, account, profile, isNewUser }) {
        const isSignIn = user ? true : false;

        console.log("**USER***", {user, account, profile, token});

        if (isSignIn) {
          const { data } = await fetchAPI<any>({
            url: `/auth/${account?.provider}/callback?access_token=${account?.access_token}`,
          });

          token.jwt = data.jwt;
          token.id = data.user.id;
        }

        return token;
      },
      async session({ session, token, user }) {
        session.jwt = token.jwt;
        session.id = token.id;

        return session;
      },
    },
  };
};

My environment:

System:
    OS: macOS 12.3.1
    CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
    Memory: 479.66 MB / 32.00 GB
    Shell: 5.8 - /bin/zsh
  Binaries:
    Node: 16.14.2 - ~/.nvm/versions/node/v16.14.2/bin/node
    npm: 8.5.0 - ~/.nvm/versions/node/v16.14.2/bin/npm
  Browsers:
    Chrome: 100.0.4896.127
    Safari: 15.4
  npmPackages:
    next: ^12.1.4 => 12.1.5 
    next-auth: ^4.3.4 => 4.3.4 
    react: 18.0.0 => 18.0.0 

How to reproduce ☕️

You need to have Google account and Facebook account with the same e-mail. Additionally, you need another Google account with a different e-mail address. Log-in with all of them and see that Google account will be correctly loaded in the session but the Facebook account won't and session will load Google account with the different e-mail.

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[kwiat1990]

I think it can have something to do with the adapter. The CMS delivers correct data. But token and user objects have some other user's data. Without the adapter it works correctly though.

Do I need adapter anyway? Without it I created a new user in my CMS database with the call to /auth/${account?.provider}/callback?access_token=${account?.access_token}.

EDIT: After I deleted all data for sessions, users and accounts in CMS database, everything it works.

[ndom91]

Yeah so the users with the same email address at different providers are not linked automatically. See the explanation in the FAQ.

Also see the discussion (#3936 (comment) - From that post down) for some more background info.

The Account is, however, linked to the same User if attempting to sign-in with a new "Account" (OAuth provider) with the same email address only if already signed in with another provider, out of security reasons.

Therefore, my guess at whats going on in your case is that the user initially signed in with Google, for example, and created a User (profile pic, etc.) and Account (OAuth provider account details) entry in the db.

Then the user signed in with Fcaebook with that same email address, which linked that new Account (OAuth provider account) to that same User. Meaning when logging in with FB, the User (containing the google user image, etc.) would be pulled up.

See:

Source: https://next-auth.js.org/adapters/models

[kwiat1990]

I think it not quite exactly what happened as I logged in with a user with a duplicated email address (say using Facebook) but I didn’t get the other user with that email (say using Google) but instead a one completely not related with both accounts.

Perhaps it had something to do with changing options for database connection string (I tried out syncronize=true) and removing some users from database.

One gotcha: in database CMS users from CMS and those from NextAuth are not related, so if I delete a user in CMS, he stays in NextAuth table. But those users were created at the same time in jwt callback. It something one should keep in mind and perhaps extend delete function in his CMS.