fix: make canLinkAccountsHelper check if the login methods of the primary user have conflicts on the tenant of the link target (#1015)

* fix: make canLinkAccountsHelper check if the login methods of the primary user have conflicts on the tenant of the link target

* chore: bump version number

Author: porcellus

CHANGELOG.md

@@ -7,6 +7,13 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
 
+## [9.1.1] -2024-07-24
+
+### Fixes
+
+- Account linking now properly checks if the login methods of the primary user can be shared with the tenants of the 
+  recipe user we are trying to link
+
 ## [9.1.0] - 2024-05-24
 
 ### Changes

build.gradle

@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "9.1.0"
+version = "9.1.1"
 
 
 repositories {

src/main/java/io/supertokens/authRecipe/AuthRecipe.java

@@ -234,12 +234,25 @@ private static CanLinkAccountsResult canLinkAccountsHelper(TransactionConnection
         // now we know that the recipe user ID is not a primary user, so we can focus on it's one
         // login method
         assert (recipeUser.loginMethods.length == 1);
-        LoginMethod recipeUserIdLM = recipeUser.loginMethods[0];
-
+        
         Set<String> tenantIds = new HashSet<>();
         tenantIds.addAll(recipeUser.tenantIds);
         tenantIds.addAll(primaryUser.tenantIds);
 
+        checkIfLoginMethodCanBeLinkedOnTenant(con, appIdentifier, authRecipeStorage, tenantIds, recipeUser.loginMethods[0], primaryUser);
+
+        for (LoginMethod currLoginMethod : primaryUser.loginMethods) {
+            checkIfLoginMethodCanBeLinkedOnTenant(con, appIdentifier, authRecipeStorage, tenantIds, currLoginMethod, primaryUser);
+        }
+
+        return new CanLinkAccountsResult(recipeUser.getSupertokensUserId(), primaryUser.getSupertokensUserId(), false);
+    }
+
+    private static void checkIfLoginMethodCanBeLinkedOnTenant(TransactionConnection con, AppIdentifier appIdentifier,
+                                                              AuthRecipeSQLStorage authRecipeStorage,
+                                                              Set<String> tenantIds, LoginMethod currLoginMethod,
+                                                              AuthRecipeUserInfo primaryUser)
+            throws StorageQueryException, AccountInfoAlreadyAssociatedWithAnotherPrimaryUserIdException {
         // we loop through the union of both the user's tenantIds and check that the criteria for
         // linking accounts is not violated in any of them. We do a union and not an intersection
         // cause if we did an intersection, and that yields that account linking is allowed, it could
@@ -251,17 +264,14 @@ private static CanLinkAccountsResult canLinkAccountsHelper(TransactionConnection
         // intersection, we will get an empty set, but if we do a union, we will get both the tenants and
         // do the checks in both.
         for (String tenantId : tenantIds) {
-            TenantIdentifier tenantIdentifier = new TenantIdentifier(
-                    appIdentifier.getConnectionUriDomain(), appIdentifier.getAppId(),
-                    tenantId);
             // we do not bother with getting the storage for each tenant here because
             // we get the tenants from the user itself, and the user can only be shared across
             // tenants of the same storage - therefore, the storage will be the same.
 
-            if (recipeUserIdLM.email != null) {
+            if (currLoginMethod.email != null) {
                 AuthRecipeUserInfo[] usersWithSameEmail = authRecipeStorage
                         .listPrimaryUsersByEmail_Transaction(appIdentifier, con,
-                                recipeUserIdLM.email);
+                                currLoginMethod.email);
                 for (AuthRecipeUserInfo user : usersWithSameEmail) {
                     if (!user.tenantIds.contains(tenantId)) {
                         continue;
@@ -274,10 +284,10 @@ private static CanLinkAccountsResult canLinkAccountsHelper(TransactionConnection
                 }
             }
 
-            if (recipeUserIdLM.phoneNumber != null) {
+            if (currLoginMethod.phoneNumber != null) {
                 AuthRecipeUserInfo[] usersWithSamePhoneNumber = authRecipeStorage
                         .listPrimaryUsersByPhoneNumber_Transaction(appIdentifier, con,
-                                recipeUserIdLM.phoneNumber);
+                                currLoginMethod.phoneNumber);
                 for (AuthRecipeUserInfo user : usersWithSamePhoneNumber) {
                     if (!user.tenantIds.contains(tenantId)) {
                         continue;
@@ -291,10 +301,10 @@ private static CanLinkAccountsResult canLinkAccountsHelper(TransactionConnection
                 }
             }
 
-            if (recipeUserIdLM.thirdParty != null) {
+            if (currLoginMethod.thirdParty != null) {
                 AuthRecipeUserInfo[] usersWithSameThirdParty = authRecipeStorage
                         .listPrimaryUsersByThirdPartyInfo_Transaction(appIdentifier, con,
-                                recipeUserIdLM.thirdParty.id, recipeUserIdLM.thirdParty.userId);
+                                currLoginMethod.thirdParty.id, currLoginMethod.thirdParty.userId);
                 for (AuthRecipeUserInfo userWithSameThirdParty : usersWithSameThirdParty) {
                     if (!userWithSameThirdParty.tenantIds.contains(tenantId)) {
                         continue;
@@ -310,8 +320,6 @@ private static CanLinkAccountsResult canLinkAccountsHelper(TransactionConnection
 
             }
         }
-
-        return new CanLinkAccountsResult(recipeUser.getSupertokensUserId(), primaryUser.getSupertokensUserId(), false);
     }
 
     @TestOnly

src/test/java/io/supertokens/test/accountlinking/LinkAccountsTest.java

@@ -517,6 +517,69 @@ public void linkAccountFailureCauseAccountInfoAssociatedWithAPrimaryUserEvenIfIn
         assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
     }
 
+    @Test
+    public void linkAccountFailureCauseAccountInfoAssociatedWithAPrimaryUserEvenIfInDifferentTenant2() throws Exception {
+        String[] args = {"../"};
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        FeatureFlagTestContent.getInstance(process.getProcess())
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{
+                        EE_FEATURES.ACCOUNT_LINKING, EE_FEATURES.MULTI_TENANCY});
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        Multitenancy.addNewOrUpdateAppOrTenant(process.main, new TenantIdentifier(null, null, null),
+                new TenantConfig(new TenantIdentifier(null, null, "t1"), new EmailPasswordConfig(true),
+                        new ThirdPartyConfig(true, null), new PasswordlessConfig(true),
+                        null, null, new JsonObject()));
+
+        Multitenancy.addNewOrUpdateAppOrTenant(process.main, new TenantIdentifier(null, null, null),
+                new TenantConfig(new TenantIdentifier(null, null, "t2"), new EmailPasswordConfig(true),
+                        new ThirdPartyConfig(true, null), new PasswordlessConfig(true),
+                        null, null, new JsonObject()));
+
+        Storage storage = (StorageLayer.getStorage(process.main));
+
+        AuthRecipeUserInfo conflictingUser =
+                EmailPassword.signUp(new TenantIdentifier(null, null, "t2"), storage,
+                        process.getProcess(),
+                        "[email protected]", "password");
+        assert (!conflictingUser.isPrimaryUser);
+        AuthRecipe.createPrimaryUser(process.main, conflictingUser.getSupertokensUserId());
+
+        Thread.sleep(50);
+
+        AuthRecipeUserInfo user1 =
+                EmailPassword.signUp(new TenantIdentifier(null, null, "t1"), storage,
+                        process.getProcess(),
+                        "[email protected]", "password");
+        assert (!user1.isPrimaryUser);
+
+        AuthRecipeUserInfo user2 =
+                EmailPassword.signUp(new TenantIdentifier(null, null, "t2"), storage,
+                        process.getProcess(),
+                        "[email protected]", "password");
+        assert (!user1.isPrimaryUser);
+
+
+        AuthRecipe.createPrimaryUser(process.main, user1.getSupertokensUserId());
+
+        try {
+            AuthRecipe.linkAccounts(process.main, user2.getSupertokensUserId(),
+                    user1.getSupertokensUserId());
+            assert (false);
+        } catch (AccountInfoAlreadyAssociatedWithAnotherPrimaryUserIdException e) {
+            assert (e.primaryUserId.equals(conflictingUser.getSupertokensUserId()));
+            assert (e.getMessage().equals("This user's email is already associated with another user ID"));
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
     @Test
     public void linkAccountSuccessAcrossTenants() throws Exception {
         String[] args = {"../"};