SSO/update_on_login: change email address if no account with that new email address already exists

Author: haraldschilly

src/packages/database/postgres/types.ts

@@ -92,6 +92,7 @@ export interface UpdateAccountInfoAndPassportOpts {
   id: string;
   profile: any;
   passport_profile: any;
+  email_address?: string;
 }
 
 export interface PostgreSQL extends EventEmitter {

src/packages/next/components/account/config/account/name.tsx

@@ -85,7 +85,7 @@ function ConfigureName() {
           type="error"
           showIcon
         />
-      )}{" "}
+      )}
       {get.loading ? (
         <Loading />
       ) : (
@@ -131,7 +131,6 @@ function ConfigureName() {
               for content you share publicly.
               {original.name && (
                 <>
-                  {" "}
                   Setting a username provides optional nicer URL's for shared
                   public documents. Your username can be between 1 and 39
                   characters, contain upper and lower case letters, numbers, and

src/packages/next/components/misc/save-button.tsx

@@ -1,12 +1,14 @@
-import { CSSProperties, useEffect, useMemo, useRef, useState } from "react";
-import { cloneDeep, debounce, isEqual } from "lodash";
 import { Alert, Button, Space } from "antd";
-import useIsMounted from "lib/hooks/mounted";
+import { cloneDeep, debounce, isEqual } from "lodash";
+import { CSSProperties, useEffect, useMemo, useRef, useState } from "react";
+
 import Loading from "components/share/loading";
 import api from "lib/api/post";
+import useIsMounted from "lib/hooks/mounted";
+
 import { Icon } from "@cocalc/frontend/components/icon";
-import { SCHEMA } from "@cocalc/util/schema";
 import { keys } from "@cocalc/util/misc";
+import { SCHEMA } from "@cocalc/util/schema";
 
 interface Props {
   edited: any;
@@ -119,7 +121,7 @@ export default function SaveButton({
 
   const doSaveDebounced = useMemo(
     () => debounce(doSave, debounce_ms),
-    [onSave]
+    [onSave],
   );
 
   useEffect(() => {

src/packages/server/auth/sso/passport-login.ts

@@ -26,7 +26,10 @@ import { REMEMBER_ME_COOKIE_NAME } from "@cocalc/backend/auth/cookie-names";
 import base_path from "@cocalc/backend/base-path";
 import getLogger from "@cocalc/backend/logger";
 import { set_email_address_verified } from "@cocalc/database/postgres/account-queries";
-import type { PostgreSQL } from "@cocalc/database/postgres/types";
+import type {
+  PostgreSQL,
+  UpdateAccountInfoAndPassportOpts,
+} from "@cocalc/database/postgres/types";
 import {
   PassportLoginLocals,
   PassportLoginOpts,
@@ -40,6 +43,7 @@ import { createRememberMeCookie } from "@cocalc/server/auth/remember-me";
 import { sanitizeID } from "@cocalc/server/auth/sso/sanitize-id";
 import { sanitizeProfile } from "@cocalc/server/auth/sso/sanitize-profile";
 import { callback2 as cb2 } from "@cocalc/util/async-utils";
+import { is_valid_email_address } from "@cocalc/util/misc";
 import { HELP_EMAIL } from "@cocalc/util/theme";
 import { emailBelongsToDomain, getEmailDomain } from "./check-required-sso";
 import { SSO_API_KEY_COOKIE_NAME } from "./consts";
@@ -487,22 +491,37 @@ export class PassportLogin {
     if (locals.new_account_created || locals.account_id == null) return;
     const L = logger.extend("maybe_update_account_profile").debug;
 
-    // if (opts.emails != null) {
-    //   locals.email_address = opts.emails[0];
-    // }
-
-    L(`account exists and we update name of user based on SSO`);
-    await this.database.update_account_and_passport({
+    const upd: UpdateAccountInfoAndPassportOpts = {
       account_id: locals.account_id,
       first_name: opts.first_name,
       last_name: opts.last_name,
       strategy: opts.strategyName,
       id: opts.id,
       profile: opts.profile,
-      // but not the email address, at least for now
-      // email_address: locals.email_address,
       passport_profile: opts.profile,
-    });
+    };
+
+    if (Array.isArray(opts.emails) && opts.emails.length >= 1) {
+      locals.email_address = opts.emails[0];
+    }
+
+    // We update the email address, if it does not belong to another account.
+    // Most likely, this just returns the very same account (hence an account exists).
+    if (is_valid_email_address(locals.email_address)) {
+      const existing_account_id = await cb2(this.database.account_exists, {
+        email_address: locals.email_address,
+      });
+      if (!existing_account_id) {
+        // There is no account with the new email address, hence we can update the email address as well
+        upd.email_address = locals.email_address;
+        L(
+          `No existing account with email address ${locals.email_address} provided by the SSO strategy. Hence we change the email address of account ${locals.account_id} as well.`,
+        );
+      }
+    }
+
+    L(`account exists and we update name of user based on SSO`);
+    await this.database.update_account_and_passport(upd);
   }
 
   // There is a special case, where an api_key was requested.

src/packages/server/auth/sso/unlink-strategy.ts

@@ -10,9 +10,9 @@ upstream SSO provider.
 */
 
 import getPool from "@cocalc/database/pool";
+import getStrategies from "@cocalc/database/settings/get-sso-strategies";
 import { is_valid_uuid_string } from "@cocalc/util/misc";
 import { checkRequiredSSO } from "./check-required-sso";
-import getStrategies from "@cocalc/database/settings/get-sso-strategies";
 
 // The name should be something like "google-9999601658192", i.e., a key
 // of the passports field.
@@ -42,7 +42,7 @@ export default async function unlinkStrategy(opts: Options): Promise<void> {
   // if we can't find the strategy, we still let users unlink it – maybe no longer available?
   await pool.query(
     "UPDATE accounts SET passports = passports - $2 WHERE account_id=$1",
-    [account_id, name]
+    [account_id, name],
   );
 }
 
@@ -62,7 +62,7 @@ export async function isBlockedUnlinkStrategy(opts: Opts): Promise<boolean> {
 
   const emailQuery = await pool.query(
     "SELECT email_address FROM accounts WHERE account_id=$1",
-    [account_id]
+    [account_id],
   );
   const email = emailQuery.rows[0].email_address;
   if (email) {

src/packages/server/auth/throttle.ts

@@ -4,8 +4,9 @@ attacks.  This is in memory per-backend server, and doesn't touch
 the database.
 */
 
-import getStrategies from "@cocalc/database/settings/get-sso-strategies";
 import LRU from "lru-cache";
+
+import getStrategies from "@cocalc/database/settings/get-sso-strategies";
 import { checkRequiredSSO } from "./sso/check-required-sso";
 
 const emailShortCache = new LRU<string, number>({
@@ -30,7 +31,7 @@ async function isExclusiveEmail(email: string) {
 export async function signInCheck(
   email: string,
   ip?: string,
-  auth_token: boolean = false
+  auth_token: boolean = false,
 ): Promise<string | undefined> {
   if ((emailShortCache.get(email) ?? 0) > 5) {
     // A given email address is allowed at most 5 failed login attempts per minute

src/packages/util/misc.ts

@@ -403,10 +403,10 @@ const reValidEmail = (function () {
   return new RegExp(sValidEmail);
 })();
 
-export function is_valid_email_address(email: string): boolean {
+export function is_valid_email_address(email?: unknown): boolean {
   // From http://stackoverflow.com/questions/46155/validate-email-address-in-javascript
   // but converted to Javascript; it's near the middle but claims to be exactly RFC822.
-  if (reValidEmail.test(email)) {
+  if (typeof email === "string" && reValidEmail.test(email)) {
     return true;
   } else {
     return false;