github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 06:16:18 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #2062] Duplicate social sign-on accounts with the same email via authClient.linkSocial is allowed #17666

New Issue
Closed
opened 2026-04-15 15:52:53 -05:00 by GiteaMirror · 7 comments
GiteaMirror commented 2026-04-15 15:52:53 -05:00
Owner
Copy Link

Originally created by @stefan1575 on GitHub (Mar 31, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/2062

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

  1. Create a new user that uses emailAndPassword authentication using authClient.signUp.email
  2. While logged in, link an account using the Google social provider using authClient.linkSocial.
  3. Invoke another authClient.linkSocial call, with a successful linked google account.

Current vs. Expected behavior

Following the steps from the previous section:

Expected Behavior

  • I expected the additional authClient.linkSocial call to and either fail silently/throw an error preventing duplicate account entries.

Actual Behavior

  • The additional authClient.linkSocial calls succeed, leading to multiple entries in the accounts table.
  • This results in duplicate accounts with the same account_id for the same user_id.
  • Example scenario: A user who initially signs up with emailAndPassword can link the same Google account multiple times, creating duplicate entries in the database.

What version of Better Auth are you using?

1.2.5

Provide environment information

- OS: Windows 10
- Browser: Google Chrome

Which area(s) are affected? (Select all that apply)

Backend, Client

Auth config (if applicable)

import { db } from "@/db";
import * as schema from "@/db/schema";
import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";

export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: "pg",
    schema: schema, // this comes from the better-auth cli
  }),
  account: {
    accountLinking: {
      enabled: true,
    },
  },
  emailAndPassword: {
    enabled: true,
  },
  socialProviders: {
    google: {
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      redirectURI: process.env.BETTER_AUTH_URL! + "/api/auth/callback/google",
    },
  },
});

Additional context

No response

Originally created by @stefan1575 on GitHub (Mar 31, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/2062 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce 1. Create a new user that uses `emailAndPassword` authentication using `authClient.signUp.email` 2. While logged in, link an account using the Google social provider using `authClient.linkSocial`. 3. Invoke another `authClient.linkSocial` call, with a successful linked google account. ### Current vs. Expected behavior Following the steps from the previous section: #### Expected Behavior - I expected the additional `authClient.linkSocial` call to and either fail silently/throw an error preventing duplicate account entries. #### Actual Behavior - The additional `authClient.linkSocial` calls succeed, leading to multiple entries in the accounts table. - This results in duplicate accounts with the same `account_id` for the same `user_id`. - Example scenario: A user who initially signs up with `emailAndPassword` can link the same Google account multiple times, creating duplicate entries in the database. ### What version of Better Auth are you using? 1.2.5 ### Provide environment information ```bash - OS: Windows 10 - Browser: Google Chrome ``` ### Which area(s) are affected? (Select all that apply) Backend, Client ### Auth config (if applicable) ```typescript import { db } from "@/db"; import * as schema from "@/db/schema"; import { betterAuth } from "better-auth"; import { drizzleAdapter } from "better-auth/adapters/drizzle"; export const auth = betterAuth({ database: drizzleAdapter(db, { provider: "pg", schema: schema, // this comes from the better-auth cli }), account: { accountLinking: { enabled: true, }, }, emailAndPassword: { enabled: true, }, socialProviders: { google: { clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET!, redirectURI: process.env.BETTER_AUTH_URL! + "/api/auth/callback/google", }, }, }); ``` ### Additional context _No response_
GiteaMirror added the lockedbug labels 2026-04-15 15:52:53 -05:00
GiteaMirror commented 2026-04-15 15:52:54 -05:00
Author
Owner
Copy Link

@Kinfe123 commented on GitHub (Mar 31, 2025):

Pls refer to this pr - #1803

<!-- gh-comment-id:2766560020 --> @Kinfe123 commented on GitHub (Mar 31, 2025): Pls refer to this pr - #1803
GiteaMirror commented 2026-04-15 15:52:54 -05:00
Author
Owner
Copy Link

@stefan1575 commented on GitHub (Mar 31, 2025):

Pls refer to this pr - #1803

The relevant tables for this discussion are user and account.

I guess I could have worded it better 😅.

What I meant was in the same user, I could register the same google account multiple times and it would reflect on the database where I have two user@gmail.com.

To illustrate this, one user may have two duplicate google accounts which is shown by the account_id.

Image

Currently there is check whether or not the user has already linked the same google account.

I also edited my initial post.

<!-- gh-comment-id:2767596728 --> @stefan1575 commented on GitHub (Mar 31, 2025): > Pls refer to this pr - [#1803](https://github.com/better-auth/better-auth/pull/1803) The relevant tables for this discussion are `user` and `account`. I guess I could have worded it better :sweat_smile:. What I meant was in the same `user`, I could register the _same_ google account multiple times and it would reflect on the database where I have two `user@gmail.com`. To illustrate this, one user may have two duplicate google accounts which is shown by the `account_id`. ![Image](https://github.com/user-attachments/assets/6835fde3-ed19-4826-b73e-7ac6a098759e) Currently there is check whether or not the user has already linked the same google account. I also edited my initial post.
GiteaMirror commented 2026-04-15 15:52:55 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jun 30, 2025):

Hi, @stefan1575. I'm Dosu, and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale.

Issue Summary:

  • The issue involves the authClient.linkSocial function in Better Auth version 1.2.5.
  • The same Google account can be linked multiple times, causing duplicate entries in the accounts table.
  • You clarified that the issue is due to the lack of a check to prevent the same Google account from being registered multiple times under the same user.
  • Kinfe123 suggested looking at pull request #1803 for a potential solution.

Next Steps:

  • Please let us know if this issue is still relevant to the latest version of the better-auth repository. If so, you can keep the discussion open by commenting on the issue.
  • Otherwise, the issue will be automatically closed in 7 days.

Thank you for your understanding and contribution!

<!-- gh-comment-id:3019772802 --> @dosubot[bot] commented on GitHub (Jun 30, 2025): Hi, @stefan1575. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog. I'm marking this issue as stale. **Issue Summary:** - The issue involves the `authClient.linkSocial` function in Better Auth version 1.2.5. - The same Google account can be linked multiple times, causing duplicate entries in the accounts table. - You clarified that the issue is due to the lack of a check to prevent the same Google account from being registered multiple times under the same user. - Kinfe123 suggested looking at pull request #1803 for a potential solution. **Next Steps:** - Please let us know if this issue is still relevant to the latest version of the better-auth repository. If so, you can keep the discussion open by commenting on the issue. - Otherwise, the issue will be automatically closed in 7 days. Thank you for your understanding and contribution!
GiteaMirror commented 2026-04-15 15:52:55 -05:00
Author
Owner
Copy Link

@itsjavi commented on GitHub (Jul 28, 2025):

so this means that for every sign in with the same oauth provider, a new account is created...

why is this designed like this?

<!-- gh-comment-id:3124810062 --> @itsjavi commented on GitHub (Jul 28, 2025): so this means that for every sign in with the same oauth provider, a new account is created... why is this designed like this?
GiteaMirror commented 2026-04-15 15:52:56 -05:00
Author
Owner
Copy Link

@himself65 commented on GitHub (Aug 6, 2025):

so this means that for every sign in with the same oauth provider, a new account is created...

why is this designed like this?

@itsjavi

Hi, this is a bug. And we are fixing it.

<!-- gh-comment-id:3157100372 --> @himself65 commented on GitHub (Aug 6, 2025): > so this means that for every sign in with the same oauth provider, a new account is created... > > why is this designed like this? @itsjavi Hi, this is a bug. And we are fixing it.
GiteaMirror commented 2026-04-15 15:52:57 -05:00
Author
Owner
Copy Link

@liamdln commented on GitHub (Sep 2, 2025):

so this means that for every sign in with the same oauth provider, a new account is created...
why is this designed like this?

@itsjavi

Hi, this is a bug. And we are fixing it.

Thanks for your work on this, do you have any timeframe for this fix being in a stable release?

<!-- gh-comment-id:3245335358 --> @liamdln commented on GitHub (Sep 2, 2025): > > so this means that for every sign in with the same oauth provider, a new account is created... > > why is this designed like this? > > [@itsjavi](https://github.com/itsjavi) > > Hi, this is a bug. And we are fixing it. Thanks for your work on this, do you have any timeframe for this fix being in a stable release?
GiteaMirror commented 2026-04-15 15:52:57 -05:00
Author
Owner
Copy Link

@himself65 commented on GitHub (Sep 2, 2025):

this should be in 1.3.8 beta version now you can have a try

<!-- gh-comment-id:3245591782 --> @himself65 commented on GitHub (Sep 2, 2025): this should be in 1.3.8 beta version now you can have a try
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label bug locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#17666
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?