Skip to content

fix: require authenticating existing account to link oauth#27871

Open
bo0tzz wants to merge 12 commits intomainfrom
fix/oauth-linking
Open

fix: require authenticating existing account to link oauth#27871
bo0tzz wants to merge 12 commits intomainfrom
fix/oauth-linking

Conversation

@bo0tzz
Copy link
Copy Markdown
Member

@bo0tzz bo0tzz commented Apr 16, 2026

Description

Currently, first OAuth login will automatically link to any existing Immich account with a matching email address. On some IDP configurations, this may allow for account takeover. This PR changes the process to require entering the password of an existing Immich account before being able to link it to an OAuth identity.

How Has This Been Tested?

Configured OAuth, then ran through the various flows.

2026-04-16.20-40-50.mp4

jrasm91
jrasm91 reviewed Apr 16, 2026
View reviewed changes
Comment thread server/src/services/auth.service.ts Outdated
Comment thread web/src/routes/auth/link/+page.svelte Outdated
Comment thread web/src/routes/auth/link/+page.svelte Outdated
@bo0tzz bo0tzz force-pushed the fix/oauth-linking branch 3 times, most recently from e535be7 to ef48f9c Compare April 17, 2026 00:33
@bo0tzz bo0tzz marked this pull request as ready for review April 17, 2026 07:45
@bo0tzz bo0tzz force-pushed the fix/oauth-linking branch from 532737b to c2ef6eb Compare April 18, 2026 10:52
@bo0tzz bo0tzz force-pushed the fix/oauth-linking branch from c2ef6eb to d50ea00 Compare April 18, 2026 11:48
jrasm91
jrasm91 approved these changes Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jrasm91 jrasm91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. I'll have to do some testing on Monday.

Comment thread server/src/controllers/oauth.controller.ts Outdated
Comment thread server/src/services/auth.service.ts
Comment thread server/src/services/auth.service.ts Outdated
jrasm91
jrasm91 reviewed Apr 18, 2026
View reviewed changes
Comment thread server/src/schema/tables/oauth-link-token.table.ts Outdated
danieldietzler
danieldietzler reviewed Apr 20, 2026
View reviewed changes
Comment thread server/src/services/session.service.ts Outdated
Comment thread web/src/routes/(user)/user-settings/oauth-settings.svelte
Comment thread web/src/routes/auth/link/+page.svelte Outdated
Comment thread web/src/routes/auth/link/+page.svelte Outdated
Comment thread web/src/routes/auth/link/+page.svelte
Comment on lines +25 to +26
const handleSubmit = async (event: Event) => {
event.preventDefault();
Copy link
Copy Markdown
Member

@danieldietzler danieldietzler Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const handleSubmit = async (event: Event) => {
event.preventDefault();
const handleSubmit = async () => {

Copy link
Copy Markdown
Member Author

@bo0tzz bo0tzz Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why shouldn't we preventDefault here?

Comment thread web/src/routes/auth/login/+page.svelte
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jrasm91 jrasm91 jrasm91 approved these changes

@danieldietzler danieldietzler danieldietzler left review comments

@shenlong-tanwen shenlong-tanwen Awaiting requested review from shenlong-tanwen shenlong-tanwen is a code owner

Assignees

No one assigned

Labels

changelog:security 🗄️server 🖥️web

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bo0tzz @jrasm91 @danieldietzler