[PR #8983] [MERGED] fix(oauth2): prevent cross-provider account collision in link-social callback #16593

New Issue

GiteaMirror · 2026-04-13T10:35:55-05:00

GiteaMirror commented

2026-04-13 10:35:55 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/8983
Author: @jaydeep-pipaliya
Created: 4/6/2026
Status: ✅ Merged
Merged: 4/9/2026
Merged by: @gustavovalverde

Base: main ← Head: fix/link-social-provider-scoped-account-lookup

📝 Commits (2)

9bd7af6 fix(oauth2): use provider-scoped account lookup in link-social callback
9c9fb5b chore: add changeset for provider-scoped link-social fix

📊 Changes

3 files changed (+190 additions, -3 deletions)

View changed files

➕ .changeset/fix-link-social-provider-scope.md (+9 -0)
📝 packages/better-auth/src/api/routes/callback.ts (+5 -3)
📝 packages/better-auth/src/oauth2/link-account.test.ts (+176 -0)

📄 Description

Summary

Fixes #8906

The link-social callback at packages/better-auth/src/api/routes/callback.ts:196 used findAccount(String(userInfo.id)) which searches by accountId across all providers. When two different providers return the same numeric user ID (e.g. both GitHub and Google happen to return id = 99999), the lookup could match an account belonging to a completely different provider and a different user, causing a spurious account_already_linked_to_different_user error or — worse — silently updating the wrong account's tokens.

The generic OAuth plugin already does this correctly using findAccountByProviderId. This PR applies the same provider-scoped lookup to the main social callback link path.

Change

- const existingAccount = await c.context.internalAdapter.findAccount(
-     String(userInfo.id),
- );
+ const existingAccount =
+     await c.context.internalAdapter.findAccountByProviderId(
+         String(userInfo.id),
+         provider.id,
+     );

Test

Added a regression test in link-account.test.ts that:

Creates User A with a Google account (accountId = "99999")
Creates User B (email/password) and links GitHub — also returning accountId "99999"
Verifies User B's GitHub link succeeds without error (old code would return account_already_linked_to_different_user)
Verifies User A's Google account is untouched

Summary by cubic

Scopes account lookup by provider in the OAuth2 link-social callback to prevent collisions when different providers return the same account ID. This avoids false account_already_linked_to_different_user errors and accidental token updates.

Bug Fixes
- Use findAccountByProviderId(accountId, provider.id) instead of findAccount(accountId) in the link-social path.
- Add regression test to ensure linking github does not collide with an existing google account sharing the same numeric ID, and that the original account remains unchanged.
- Add changeset entry for a patch release.

^{Written for commit 9c9fb5bbbf. Summary will update on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/8983 **Author:** [@jaydeep-pipaliya](https://github.com/jaydeep-pipaliya) **Created:** 4/6/2026 **Status:** ✅ Merged **Merged:** 4/9/2026 **Merged by:** [@gustavovalverde](https://github.com/gustavovalverde) **Base:** `main` ← **Head:** `fix/link-social-provider-scoped-account-lookup` --- ### 📝 Commits (2) - [`9bd7af6`](https://github.com/better-auth/better-auth/commit/9bd7af6eeef379972393d6cb6b9595f749a8f17e) fix(oauth2): use provider-scoped account lookup in link-social callback - [`9c9fb5b`](https://github.com/better-auth/better-auth/commit/9c9fb5bbbf0573d06adfa9f0d37f33be0144e6b3) chore: add changeset for provider-scoped link-social fix ### 📊 Changes **3 files changed** (+190 additions, -3 deletions) <details> <summary>View changed files</summary> ➕ `.changeset/fix-link-social-provider-scope.md` (+9 -0) 📝 `packages/better-auth/src/api/routes/callback.ts` (+5 -3) 📝 `packages/better-auth/src/oauth2/link-account.test.ts` (+176 -0) </details> ### 📄 Description ## Summary Fixes #8906 The `link-social` callback at `packages/better-auth/src/api/routes/callback.ts:196` used `findAccount(String(userInfo.id))` which searches by `accountId` across **all providers**. When two different providers return the same numeric user ID (e.g. both GitHub and Google happen to return `id = 99999`), the lookup could match an account belonging to a completely different provider and a different user, causing a spurious `account_already_linked_to_different_user` error or — worse — silently updating the wrong account's tokens. The generic OAuth plugin already does this correctly using `findAccountByProviderId`. This PR applies the same provider-scoped lookup to the main social callback link path. ## Change ```diff - const existingAccount = await c.context.internalAdapter.findAccount( - String(userInfo.id), - ); + const existingAccount = + await c.context.internalAdapter.findAccountByProviderId( + String(userInfo.id), + provider.id, + ); ``` ## Test Added a regression test in `link-account.test.ts` that: 1. Creates User A with a Google account (accountId = `"99999"`) 2. Creates User B (email/password) and links GitHub — also returning accountId `"99999"` 3. Verifies User B's GitHub link succeeds without error (old code would return `account_already_linked_to_different_user`) 4. Verifies User A's Google account is untouched  --- ## Summary by cubic Scopes account lookup by provider in the OAuth2 link-social callback to prevent collisions when different providers return the same account ID. This avoids false `account_already_linked_to_different_user` errors and accidental token updates. - **Bug Fixes** - Use `findAccountByProviderId(accountId, provider.id)` instead of `findAccount(accountId)` in the link-social path. - Add regression test to ensure linking `github` does not collide with an existing `google` account sharing the same numeric ID, and that the original account remains unchanged. - Add changeset entry for a patch release. <sup>Written for commit 9c9fb5bbbf0573d06adfa9f0d37f33be0144e6b3. Summary will update on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-13 10:35:55 -05:00

GiteaMirror closed this issue

2026-04-13 10:35:56 -05:00

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#16593