OAuthAccountNotLinked when creating accounts before user logs in
Unanswered
Burmese posted this in #help-forum
BurmeseOP
Relevant packages
next 14.1.1
next-auth 4.24.6
I am building a Next.js app with Auth.js utilizing a Google for user authentication and a MongoDB database for data management and session storage.
One of the app features is allowing admins to assign roles to individuals who may not exist in the system yet (haven't logged in so no account). This has run into the OAuthAccountNotLinked message which is a security feature denying users access if they have an account that isn't associated with an existing OAuth provider.
Is there a simple way to bypass this? Currently I am looking at allowing admins to add the user to a role and if the user doesn't exist add them to a temporary user pool until they sign in and then at that point update the user id created with the temp user and remove that entry from the temp user pool.
This relies on the admin using a trusted email address for the user in question and that user not logging into the system with a different email address with said OAuth provider.
Are there any security issues, bad practices, or alternatives you might suggest?
next 14.1.1
next-auth 4.24.6
I am building a Next.js app with Auth.js utilizing a Google for user authentication and a MongoDB database for data management and session storage.
One of the app features is allowing admins to assign roles to individuals who may not exist in the system yet (haven't logged in so no account). This has run into the OAuthAccountNotLinked message which is a security feature denying users access if they have an account that isn't associated with an existing OAuth provider.
Is there a simple way to bypass this? Currently I am looking at allowing admins to add the user to a role and if the user doesn't exist add them to a temporary user pool until they sign in and then at that point update the user id created with the temp user and remove that entry from the temp user pool.
This relies on the admin using a trusted email address for the user in question and that user not logging into the system with a different email address with said OAuth provider.
Are there any security issues, bad practices, or alternatives you might suggest?