supabase
diff --git a/‎internal/api/anonymous.go‎
Lines changed: 3 additions & 0 deletions b/‎internal/api/anonymous.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎internal/api/apitask/apitask.go‎
Lines changed: 13 additions & 0 deletions b/‎internal/api/apitask/apitask.go‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎internal/api/apitask/apitask_test.go‎
Lines changed: 5 additions & 18 deletions b/‎internal/api/apitask/apitask_test.go‎
Lines changed: 5 additions & 18 deletions
diff --git a/‎internal/api/e2e_test.go‎
Lines changed: 50 additions & 0 deletions b/‎internal/api/e2e_test.go‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎internal/api/external.go‎
Lines changed: 31 additions & 25 deletions b/‎internal/api/external.go‎
Lines changed: 31 additions & 25 deletions
@@ -53,6 +53,9 @@ func (a *API) SignupAnonymously(w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		return apierrors.NewInternalServerError("Database error creating anonymous user").WithInternalError(err)
 	}
+	if err := a.triggerAfterUserCreated(r, db, newUser); err != nil {
+		return err
+	}
 
 	metering.RecordLogin(metering.LoginTypeAnonymous, newUser.ID, nil)
 	return sendJSON(w, http.StatusOK, token)
 
@@ -39,6 +39,19 @@ type Task interface {
 	Run(context.Context) error
 }
 
+type taskFunc struct {
+	typ string
+	fn  func(context.Context) error
+}
+
+func (o *taskFunc) Type() string { return o.typ }
+
+func (o *taskFunc) Run(ctx context.Context) error { return o.fn(ctx) }
+
+func Func(typ string, fn func(context.Context) error) Task {
+	return &taskFunc{typ: typ, fn: fn}
+}
+
 // Run will run a request-scoped background task in a separate goroutine
 // immediately if the current context supports it. Otherwise it makes an
 // immediate blocking call to task.Run(ctx).
 
@@ -12,19 +12,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-type taskFunc struct {
-	typ string
-	fn  func(context.Context) error
-}
-
-func (o *taskFunc) Type() string { return o.typ }
-
-func (o *taskFunc) Run(ctx context.Context) error { return o.fn(ctx) }
-
-func taskFn(typ string, fn func(context.Context) error) Task {
-	return &taskFunc{typ: typ, fn: fn}
-}
-
 func TestContext(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
 	defer cancel()
@@ -59,7 +46,7 @@ func TestRun(t *testing.T) {
 		expCalls := 0
 		for range 16 {
 			expCalls++
-			task := taskFn("test.run", func(ctx context.Context) error {
+			task := Func("test.run", func(ctx context.Context) error {
 				calls.Add(1)
 				return nil
 			})
@@ -85,7 +72,7 @@ func TestRun(t *testing.T) {
 			sentinel := errors.New("sentinel")
 			for range 16 {
 				expCalls++
-				task := taskFn("test.run", func(ctx context.Context) error {
+				task := Func("test.run", func(ctx context.Context) error {
 					calls.Add(1)
 					return sentinel
 				})
@@ -110,7 +97,7 @@ func TestRun(t *testing.T) {
 			sentinel := errors.New("sentinel")
 			for range 16 {
 				expCalls++
-				task := taskFn("test.run", func(ctx context.Context) error {
+				task := Func("test.run", func(ctx context.Context) error {
 					calls.Add(1)
 					return sentinel
 				})
@@ -137,7 +124,7 @@ func TestMiddleware(t *testing.T) {
 		hrFunc := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			for i := range 10 {
 				typ := fmt.Sprintf("test-task-%v", i)
-				task := taskFn(typ, func(ctx context.Context) error {
+				task := Func(typ, func(ctx context.Context) error {
 					return nil
 				})
 
@@ -164,7 +151,7 @@ func TestMiddleware(t *testing.T) {
 		hrFunc := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			for i := range 10 {
 				typ := fmt.Sprintf("test-task-%v", i)
-				task := taskFn(typ, func(ctx context.Context) error {
+				task := Func(typ, func(ctx context.Context) error {
 					return nil
 				})
 				err := Run(r.Context(), task)
 
@@ -87,6 +87,43 @@ func runVerifyBeforeUserCreatedHook(
 	return latest
 }
 
+func runVerifyAfterUserCreatedHook(
+	t *testing.T,
+	inst *e2ehooks.Instance,
+	expUser *models.User,
+) *models.User {
+	var latest *models.User
+	t.Run("VerifyAfterUserCreatedHook", func(t *testing.T) {
+		defer inst.HookRecorder.AfterUserCreated.ClearCalls()
+
+		calls := inst.HookRecorder.AfterUserCreated.GetCalls()
+		require.Equal(t, 1, len(calls))
+		call := calls[0]
+
+		hookReq := &v0hooks.AfterUserCreatedInput{}
+		err := call.Unmarshal(hookReq)
+		require.NoError(t, err)
+		require.Equal(t, v0hooks.AfterUserCreated, hookReq.Metadata.Name)
+
+		u := hookReq.User
+		require.Equal(t, expUser.ID, u.ID)
+		require.Equal(t, expUser.Aud, u.Aud)
+		require.Equal(t, expUser.Email, u.Email)
+		require.Equal(t, expUser.AppMetaData, u.AppMetaData)
+
+		require.False(t, u.CreatedAt.IsZero())
+		require.False(t, u.UpdatedAt.IsZero())
+
+		err = expUser.Confirm(inst.Conn)
+		require.NoError(t, err)
+
+		latest, err = models.FindUserByID(inst.Conn, expUser.ID)
+		require.NoError(t, err)
+		require.NotNil(t, latest)
+	})
+	return latest
+}
+
 func getAccessToken(
 	ctx context.Context,
 	t *testing.T,
@@ -208,6 +245,7 @@ func TestE2EHooks(t *testing.T) {
 			require.Equal(t, email, res.Email.String())
 
 			runVerifyBeforeUserCreatedHook(t, inst, res)
+			runVerifyAfterUserCreatedHook(t, inst, res)
 		})
 
 		t.Run("SignupPhone", func(t *testing.T) {
@@ -224,6 +262,8 @@ func TestE2EHooks(t *testing.T) {
 			require.Equal(t, phone, res.Phone.String())
 
 			runVerifyBeforeUserCreatedHook(t, inst, res)
+			runVerifyAfterUserCreatedHook(t, inst, res)
+
 		})
 
 		t.Run("SignupAnonymously", func(t *testing.T) {
@@ -235,6 +275,8 @@ func TestE2EHooks(t *testing.T) {
 			require.NoError(t, err)
 
 			runVerifyBeforeUserCreatedHook(t, inst, res.User)
+			runVerifyAfterUserCreatedHook(t, inst, res.User)
+
 		})
 
 		t.Run("ExternalCallback", func(t *testing.T) {
@@ -246,6 +288,8 @@ func TestE2EHooks(t *testing.T) {
 			require.NoError(t, err)
 
 			runVerifyBeforeUserCreatedHook(t, inst, res.User)
+			runVerifyAfterUserCreatedHook(t, inst, res.User)
+
 		})
 
 		t.Run("AdminEndpoints", func(t *testing.T) {
@@ -273,6 +317,8 @@ func TestE2EHooks(t *testing.T) {
 				require.NoError(t, err)
 
 				runVerifyBeforeUserCreatedHook(t, inst, res)
+				runVerifyAfterUserCreatedHook(t, inst, res)
+
 			})
 
 			t.Run("AdminGenerateLink", func(t *testing.T) {
@@ -304,6 +350,7 @@ func TestE2EHooks(t *testing.T) {
 					require.NoError(t, err)
 
 					runVerifyBeforeUserCreatedHook(t, inst, &res.User)
+					runVerifyAfterUserCreatedHook(t, inst, &res.User)
 				})
 
 				t.Run("InviteVerification", func(t *testing.T) {
@@ -332,6 +379,7 @@ func TestE2EHooks(t *testing.T) {
 					require.NoError(t, err)
 
 					runVerifyBeforeUserCreatedHook(t, inst, &res.User)
+					runVerifyAfterUserCreatedHook(t, inst, &res.User)
 				})
 			})
 		})
@@ -372,6 +420,7 @@ func TestE2EHooks(t *testing.T) {
 					require.Equal(t, email, mfaUser.Email.String())
 
 					mfaUser = runVerifyBeforeUserCreatedHook(t, inst, mfaUser)
+					runVerifyAfterUserCreatedHook(t, inst, mfaUser)
 					require.NotNil(t, mfaUser)
 					mfaUserAccessToken = getAccessToken(
 						ctx, t, inst, string(mfaUser.Email), defaultPassword)
@@ -562,6 +611,7 @@ func TestE2EHooks(t *testing.T) {
 			require.Equal(t, email, res.Email.String())
 
 			currentUser = runVerifyBeforeUserCreatedHook(t, inst, res)
+			runVerifyAfterUserCreatedHook(t, inst, res)
 			require.NotNil(t, currentUser)
 			inst.HookRecorder.CustomizeAccessToken.ClearCalls()
 		}
 
@@ -218,6 +218,7 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 		}
 	}
 
+	var createdUser bool
 	var user *models.User
 	var token *AccessTokenResponse
 	err = db.Transaction(func(tx *storage.Connection) error {
@@ -231,7 +232,8 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 				return terr
 			}
 		} else {
-			if user, terr = a.createAccountFromExternalIdentity(tx, r, userData, providerType, emailOptional); terr != nil {
+			createdUser = true
+			if _, user, terr = a.createAccountFromExternalIdentity(tx, r, userData, providerType, emailOptional); terr != nil {
 				return terr
 			}
 		}
@@ -253,10 +255,14 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 		}
 		return nil
 	})
-
 	if err != nil {
 		return err
 	}
+	if createdUser {
+		if err := a.triggerAfterUserCreated(r, db, user); err != nil {
+			return err
+		}
+	}
 
 	// Record login for analytics - only when token is issued (not during pkce authorize)
 	if token != nil {
@@ -290,7 +296,7 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 	return nil
 }
 
-func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.Request, userData *provider.UserProvidedData, providerType string, emailOptional bool) (*models.User, error) {
+func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.Request, userData *provider.UserProvidedData, providerType string, emailOptional bool) (models.AccountLinkingDecision, *models.User, error) {
 	ctx := r.Context()
 	aud := a.requestAud(ctx, r)
 	config := a.config
@@ -304,28 +310,28 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.
 
 	decision, terr := models.DetermineAccountLinking(tx, config, userData.Emails, aud, providerType, userData.Metadata.Subject)
 	if terr != nil {
-		return nil, terr
+		return 0, nil, terr
 	}
 
 	switch decision.Decision {
 	case models.LinkAccount:
 		user = decision.User
 
 		if identity, terr = a.createNewIdentity(tx, user, providerType, identityData); terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 
 		if terr = user.UpdateUserMetaData(tx, identityData); terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 
 		if terr = user.UpdateAppMetaDataProviders(tx); terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 
 	case models.CreateAccount:
 		if config.DisableSignup {
-			return nil, apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeSignupDisabled, "Signups not allowed for this instance")
+			return 0, nil, apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeSignupDisabled, "Signups not allowed for this instance")
 		}
 
 		params := &SignupParams{
@@ -352,15 +358,15 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.
 		// transaction
 		user, terr = params.ToUserModel(isSSOUser)
 		if terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 
 		if user, terr = a.signupNewUser(tx, user); terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 
 		if identity, terr = a.createNewIdentity(tx, user, providerType, identityData); terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 		user.Identities = append(user.Identities, *identity)
 
@@ -370,24 +376,24 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.
 
 		identity.IdentityData = identityData
 		if terr = tx.UpdateOnly(identity, "identity_data", "last_sign_in_at"); terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 		if terr = user.UpdateUserMetaData(tx, identityData); terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 		if terr = user.UpdateAppMetaDataProviders(tx); terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 
 	case models.MultipleAccounts:
-		return nil, apierrors.NewInternalServerError("Multiple accounts with the same email address in the same linking domain detected: %v", decision.LinkingDomain)
+		return 0, nil, apierrors.NewInternalServerError("Multiple accounts with the same email address in the same linking domain detected: %v", decision.LinkingDomain)
 
 	default:
-		return nil, apierrors.NewInternalServerError("Unknown automatic linking decision: %v", decision.Decision)
+		return 0, nil, apierrors.NewInternalServerError("Unknown automatic linking decision: %v", decision.Decision)
 	}
 
 	if user.IsBanned() {
-		return nil, apierrors.NewForbiddenError(apierrors.ErrorCodeUserBanned, "User is banned")
+		return 0, nil, apierrors.NewForbiddenError(apierrors.ErrorCodeUserBanned, "User is banned")
 	}
 
 	hasEmails := providerType != "web3" && !(emailOptional && decision.CandidateEmail.Email == "")
@@ -398,44 +404,44 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.
 		// need to be removed when a new oauth identity is being added
 		// to prevent pre-account takeover attacks from happening.
 		if terr = user.RemoveUnconfirmedIdentities(tx, identity); terr != nil {
-			return nil, apierrors.NewInternalServerError("Error updating user").WithInternalError(terr)
+			return 0, nil, apierrors.NewInternalServerError("Error updating user").WithInternalError(terr)
 		}
 		if decision.CandidateEmail.Verified || config.Mailer.Autoconfirm {
 			if terr := models.NewAuditLogEntry(config.AuditLog, r, tx, user, models.UserSignedUpAction, "", map[string]interface{}{
 				"provider": providerType,
 			}); terr != nil {
-				return nil, terr
+				return 0, nil, terr
 			}
 			// fall through to auto-confirm and issue token
 			if terr = user.Confirm(tx); terr != nil {
-				return nil, apierrors.NewInternalServerError("Error updating user").WithInternalError(terr)
+				return 0, nil, apierrors.NewInternalServerError("Error updating user").WithInternalError(terr)
 			}
 		} else {
 			emailConfirmationSent := false
 			if decision.CandidateEmail.Email != "" {
 				if terr = a.sendConfirmation(r, tx, user, models.ImplicitFlow); terr != nil {
-					return nil, terr
+					return 0, nil, terr
 				}
 				emailConfirmationSent = true
 			}
 
 			if !config.Mailer.AllowUnverifiedEmailSignIns {
 				if emailConfirmationSent {
-					return nil, storage.NewCommitWithError(apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeProviderEmailNeedsVerification, fmt.Sprintf("Unverified email with %v. A confirmation email has been sent to your %v email", providerType, providerType)))
+					return 0, nil, storage.NewCommitWithError(apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeProviderEmailNeedsVerification, fmt.Sprintf("Unverified email with %v. A confirmation email has been sent to your %v email", providerType, providerType)))
 				}
 
-				return nil, storage.NewCommitWithError(apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeProviderEmailNeedsVerification, fmt.Sprintf("Unverified email with %v. Verify the email with %v in order to sign in", providerType, providerType)))
+				return 0, nil, storage.NewCommitWithError(apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeProviderEmailNeedsVerification, fmt.Sprintf("Unverified email with %v. Verify the email with %v in order to sign in", providerType, providerType)))
 			}
 		}
 	} else {
 		if terr := models.NewAuditLogEntry(config.AuditLog, r, tx, user, models.LoginAction, "", map[string]interface{}{
 			"provider": providerType,
 		}); terr != nil {
-			return nil, terr
+			return 0, nil, terr
 		}
 	}
 
-	return user, nil
+	return decision.Decision, user, nil
 }
 
 func (a *API) processInvite(r *http.Request, tx *storage.Connection, userData *provider.UserProvidedData, inviteToken, providerType string) (*models.User, error) {
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,9 @@ func (a API) SignupAnonymously(w http.ResponseWriter, r http.Request) error {`
`53`	`53`	`if err != nil {`
`54`	`54`	`return apierrors.NewInternalServerError("Database error creating anonymous user").WithInternalError(err)`
`55`	`55`	`}`
	`56`	`+ if err := a.triggerAfterUserCreated(r, db, newUser); err != nil {`
	`57`	`+ return err`
	`58`	`+ }`
`56`	`59`
`57`	`60`	`metering.RecordLogin(metering.LoginTypeAnonymous, newUser.ID, nil)`
`58`	`61`	`return sendJSON(w, http.StatusOK, token)`
Original file line number	Diff line number	Diff line change
`@@ -218,6 +218,7 @@ func (a API) internalExternalProviderCallback(w http.ResponseWriter, r http.Re`
`218`	`218`	`}`
`219`	`219`	`}`
`220`	`220`
	`221`	`+ var createdUser bool`
`221`	`222`	`var user *models.User`
`222`	`223`	`var token *AccessTokenResponse`
`223`	`224`	`err = db.Transaction(func(tx *storage.Connection) error {`
`@@ -231,7 +232,8 @@ func (a API) internalExternalProviderCallback(w http.ResponseWriter, r http.Re`
`231`	`232`	`return terr`
`232`	`233`	`}`
`233`	`234`	`} else {`
`234`		`- if user, terr = a.createAccountFromExternalIdentity(tx, r, userData, providerType, emailOptional); terr != nil {`
	`235`	`+ createdUser = true`
	`236`	`+ if _, user, terr = a.createAccountFromExternalIdentity(tx, r, userData, providerType, emailOptional); terr != nil {`
`235`	`237`	`return terr`
`236`	`238`	`}`
`237`	`239`	`}`
`@@ -253,10 +255,14 @@ func (a API) internalExternalProviderCallback(w http.ResponseWriter, r http.Re`
`253`	`255`	`}`
`254`	`256`	`return nil`
`255`	`257`	`})`
`256`		`-`
`257`	`258`	`if err != nil {`
`258`	`259`	`return err`
`259`	`260`	`}`
	`261`	`+ if createdUser {`
	`262`	`+ if err := a.triggerAfterUserCreated(r, db, user); err != nil {`
	`263`	`+ return err`
	`264`	`+ }`
	`265`	`+ }`
`260`	`266`
`261`	`267`	`// Record login for analytics - only when token is issued (not during pkce authorize)`
`262`	`268`	`if token != nil {`
`@@ -290,7 +296,7 @@ func (a API) internalExternalProviderCallback(w http.ResponseWriter, r http.Re`
`290`	`296`	`return nil`
`291`	`297`	`}`
`292`	`298`
`293`		`-func (a API) createAccountFromExternalIdentity(tx storage.Connection, r http.Request, userData provider.UserProvidedData, providerType string, emailOptional bool) (*models.User, error) {`
	`299`	`+func (a API) createAccountFromExternalIdentity(tx storage.Connection, r http.Request, userData provider.UserProvidedData, providerType string, emailOptional bool) (models.AccountLinkingDecision, *models.User, error) {`
`294`	`300`	`ctx := r.Context()`
`295`	`301`	`aud := a.requestAud(ctx, r)`
`296`	`302`	`config := a.config`
`@@ -304,28 +310,28 @@ func (a API) createAccountFromExternalIdentity(tx storage.Connection, r *http.`
`304`	`310`
`305`	`311`	`decision, terr := models.DetermineAccountLinking(tx, config, userData.Emails, aud, providerType, userData.Metadata.Subject)`
`306`	`312`	`if terr != nil {`
`307`		`- return nil, terr`
	`313`	`+ return 0, nil, terr`
`308`	`314`	`}`
`309`	`315`
`310`	`316`	`switch decision.Decision {`
`311`	`317`	`case models.LinkAccount:`
`312`	`318`	`user = decision.User`
`313`	`319`
`314`	`320`	`if identity, terr = a.createNewIdentity(tx, user, providerType, identityData); terr != nil {`
`315`		`- return nil, terr`
	`321`	`+ return 0, nil, terr`
`316`	`322`	`}`
`317`	`323`
`318`	`324`	`if terr = user.UpdateUserMetaData(tx, identityData); terr != nil {`
`319`		`- return nil, terr`
	`325`	`+ return 0, nil, terr`
`320`	`326`	`}`
`321`	`327`
`322`	`328`	`if terr = user.UpdateAppMetaDataProviders(tx); terr != nil {`
`323`		`- return nil, terr`
	`329`	`+ return 0, nil, terr`
`324`	`330`	`}`
`325`	`331`
`326`	`332`	`case models.CreateAccount:`
`327`	`333`	`if config.DisableSignup {`
`328`		`- return nil, apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeSignupDisabled, "Signups not allowed for this instance")`
	`334`	`+ return 0, nil, apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeSignupDisabled, "Signups not allowed for this instance")`
`329`	`335`	`}`
`330`	`336`
`331`	`337`	`params := &SignupParams{`
`@@ -352,15 +358,15 @@ func (a API) createAccountFromExternalIdentity(tx storage.Connection, r *http.`
`352`	`358`	`// transaction`
`353`	`359`	`user, terr = params.ToUserModel(isSSOUser)`
`354`	`360`	`if terr != nil {`
`355`		`- return nil, terr`
	`361`	`+ return 0, nil, terr`
`356`	`362`	`}`
`357`	`363`
`358`	`364`	`if user, terr = a.signupNewUser(tx, user); terr != nil {`
`359`		`- return nil, terr`
	`365`	`+ return 0, nil, terr`
`360`	`366`	`}`
`361`	`367`
`362`	`368`	`if identity, terr = a.createNewIdentity(tx, user, providerType, identityData); terr != nil {`
`363`		`- return nil, terr`
	`369`	`+ return 0, nil, terr`
`364`	`370`	`}`
`365`	`371`	`user.Identities = append(user.Identities, *identity)`
`366`	`372`
`@@ -370,24 +376,24 @@ func (a API) createAccountFromExternalIdentity(tx storage.Connection, r *http.`
`370`	`376`
`371`	`377`	`identity.IdentityData = identityData`
`372`	`378`	`if terr = tx.UpdateOnly(identity, "identity_data", "last_sign_in_at"); terr != nil {`
`373`		`- return nil, terr`
	`379`	`+ return 0, nil, terr`
`374`	`380`	`}`
`375`	`381`	`if terr = user.UpdateUserMetaData(tx, identityData); terr != nil {`
`376`		`- return nil, terr`
	`382`	`+ return 0, nil, terr`
`377`	`383`	`}`
`378`	`384`	`if terr = user.UpdateAppMetaDataProviders(tx); terr != nil {`
`379`		`- return nil, terr`
	`385`	`+ return 0, nil, terr`
`380`	`386`	`}`
`381`	`387`
`382`	`388`	`case models.MultipleAccounts:`
`383`		`- return nil, apierrors.NewInternalServerError("Multiple accounts with the same email address in the same linking domain detected: %v", decision.LinkingDomain)`
	`389`	`+ return 0, nil, apierrors.NewInternalServerError("Multiple accounts with the same email address in the same linking domain detected: %v", decision.LinkingDomain)`
`384`	`390`
`385`	`391`	`default:`
`386`		`- return nil, apierrors.NewInternalServerError("Unknown automatic linking decision: %v", decision.Decision)`
	`392`	`+ return 0, nil, apierrors.NewInternalServerError("Unknown automatic linking decision: %v", decision.Decision)`
`387`	`393`	`}`
`388`	`394`
`389`	`395`	`if user.IsBanned() {`
`390`		`- return nil, apierrors.NewForbiddenError(apierrors.ErrorCodeUserBanned, "User is banned")`
	`396`	`+ return 0, nil, apierrors.NewForbiddenError(apierrors.ErrorCodeUserBanned, "User is banned")`
`391`	`397`	`}`
`392`	`398`
`393`	`399`	`hasEmails := providerType != "web3" && !(emailOptional && decision.CandidateEmail.Email == "")`
`@@ -398,44 +404,44 @@ func (a API) createAccountFromExternalIdentity(tx storage.Connection, r *http.`
`398`	`404`	`// need to be removed when a new oauth identity is being added`
`399`	`405`	`// to prevent pre-account takeover attacks from happening.`
`400`	`406`	`if terr = user.RemoveUnconfirmedIdentities(tx, identity); terr != nil {`
`401`		`- return nil, apierrors.NewInternalServerError("Error updating user").WithInternalError(terr)`
	`407`	`+ return 0, nil, apierrors.NewInternalServerError("Error updating user").WithInternalError(terr)`
`402`	`408`	`}`
`403`	`409`	`if decision.CandidateEmail.Verified \|\| config.Mailer.Autoconfirm {`
`404`	`410`	`if terr := models.NewAuditLogEntry(config.AuditLog, r, tx, user, models.UserSignedUpAction, "", map[string]interface{}{`
`405`	`411`	`"provider": providerType,`
`406`	`412`	`}); terr != nil {`
`407`		`- return nil, terr`
	`413`	`+ return 0, nil, terr`
`408`	`414`	`}`
`409`	`415`	`// fall through to auto-confirm and issue token`
`410`	`416`	`if terr = user.Confirm(tx); terr != nil {`
`411`		`- return nil, apierrors.NewInternalServerError("Error updating user").WithInternalError(terr)`
	`417`	`+ return 0, nil, apierrors.NewInternalServerError("Error updating user").WithInternalError(terr)`
`412`	`418`	`}`
`413`	`419`	`} else {`
`414`	`420`	`emailConfirmationSent := false`
`415`	`421`	`if decision.CandidateEmail.Email != "" {`
`416`	`422`	`if terr = a.sendConfirmation(r, tx, user, models.ImplicitFlow); terr != nil {`
`417`		`- return nil, terr`
	`423`	`+ return 0, nil, terr`
`418`	`424`	`}`
`419`	`425`	`emailConfirmationSent = true`
`420`	`426`	`}`
`421`	`427`
`422`	`428`	`if !config.Mailer.AllowUnverifiedEmailSignIns {`
`423`	`429`	`if emailConfirmationSent {`
`424`		`- return nil, storage.NewCommitWithError(apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeProviderEmailNeedsVerification, fmt.Sprintf("Unverified email with %v. A confirmation email has been sent to your %v email", providerType, providerType)))`
	`430`	`+ return 0, nil, storage.NewCommitWithError(apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeProviderEmailNeedsVerification, fmt.Sprintf("Unverified email with %v. A confirmation email has been sent to your %v email", providerType, providerType)))`
`425`	`431`	`}`
`426`	`432`
`427`		`- return nil, storage.NewCommitWithError(apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeProviderEmailNeedsVerification, fmt.Sprintf("Unverified email with %v. Verify the email with %v in order to sign in", providerType, providerType)))`
	`433`	`+ return 0, nil, storage.NewCommitWithError(apierrors.NewUnprocessableEntityError(apierrors.ErrorCodeProviderEmailNeedsVerification, fmt.Sprintf("Unverified email with %v. Verify the email with %v in order to sign in", providerType, providerType)))`
`428`	`434`	`}`
`429`	`435`	`}`
`430`	`436`	`} else {`
`431`	`437`	`if terr := models.NewAuditLogEntry(config.AuditLog, r, tx, user, models.LoginAction, "", map[string]interface{}{`
`432`	`438`	`"provider": providerType,`
`433`	`439`	`}); terr != nil {`
`434`		`- return nil, terr`
	`440`	`+ return 0, nil, terr`
`435`	`441`	`}`
`436`	`442`	`}`
`437`	`443`
`438`		`- return user, nil`
	`444`	`+ return decision.Decision, user, nil`
`439`	`445`	`}`
`440`	`446`
`441`	`447`	`func (a API) processInvite(r http.Request, tx storage.Connection, userData provider.UserProvidedData, inviteToken, providerType string) (*models.User, error) {`