Introduce Account linking for new Users

[XiNiHa]

Background

Part of #470

We can easily introduce Account Linking for users who don't have any duplicate accounts yet.

Description

• Reuse existing Hive user when there is a user with a matching email address, even with SuperTokens users with different supertoken_user_id
• Assert OIDC integration ID of sessions when performing access checks against OIDC-only organizations
• Remove existing guards around OIDC-only orgs and SuperTokens-Hive 1-1 relationships

Checklist

• Input validation
• Output encoding
• Authentication management
• Session management
• Access control
• Cryptographic practices
• Error handling and logging
• Data protection
• Communication security
• System configuration
• Database security
• File management
• Memory management
• Testing

[gemini-code-assist]

Summary of Changes

Hello @XiNiHa, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances user management by implementing account linking based on email addresses, allowing for a more seamless experience for users who might have multiple SuperTokens accounts but a single Hive identity. It also refines OIDC integration by enforcing stricter access checks for OIDC-only organizations and removes previous limitations on OIDC users, granting them more flexibility within the platform. These changes streamline user provisioning and access control, particularly in environments leveraging OIDC.

Highlights

• Account Linking for New Users: Introduces a mechanism to link new user accounts by reusing an existing Hive user if a matching email address is found, even if the SuperTokens user ID differs.
• Refined OIDC Access Control: Access checks for OIDC-only organizations now explicitly assert the OIDC integration ID, ensuring that only users authenticated through the correct OIDC integration can access these organizations.
• Removed OIDC User Restrictions: Eliminates previous guards that prevented OIDC users from creating new organizations or joining existing ones, and allows OIDC users to switch organizations.
• Session and User Model Enhancements: The SuperTokensCookieBasedSession and UserActor now include userId and oidcIntegrationId to better manage user identity and OIDC context across the application.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package	Version	Info
hive	9.3.1-alpha-20260205153403-7598b99d688f89564dda24bc33794fb3a5e2a2e0	npm ↗︎ unpkg ↗︎

[gemini-code-assist]

Code Review

This pull request introduces significant changes to user and session management, particularly around OIDC integration. The UserActor and SuperTokensCookieBasedSession types are updated to include oidcIntegrationId and userId, allowing sessions to carry more detailed user and OIDC context. The SuperTokensUserAuthNStrategy and SuperTokenAccessTokenModel are adjusted to handle these new fields, with internalApi.ensureUser being called during session creation to populate userId and oidcIntegrationId in the session payload. The oidcIntegrationId field is removed from the core User entity in the database schema and UserModel is updated to reflect superTokensUserId as nullable, indicating a shift in how OIDC user data is stored and managed. User creation and lookup logic in the storage layer (ensureUser, createUser) is refactored to prioritize email-based lookup and to decouple superTokensUserId and oidcIntegrationId from the initial user creation, with a new mechanism to nullify these fields for existing users. Permissions and organization management are also updated: OIDC users can now create and join organizations, and the logic for canSwitchOrganization and myDefaultOrganization is simplified. Review comments highlight critical issues: a try...catch block in supertokens.ts that swallows errors from internalApi.ensureUser, a SQL syntax error (trailing comma) in storage/src/index.ts's getUserById query, and two instances where database operations within a transaction in storage/src/index.ts incorrectly use the main connection pool instead of the transaction connection, risking data inconsistency.

[github-actions]

📚 Storybook Deployment

The latest changes are available as preview in: https://pr-7390.hive-storybook.pages.dev

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-7390.hive-landing-page.pages.dev

[github-actions]

🐋 This PR was built and pushed to the following Docker images:

Targets: build

Platforms: linux/amd64

Image Tag: 7598b99d688f89564dda24bc33794fb3a5e2a2e0

[n1ru4l]

note: Renaming the column should be safe here as it only updates the metadata of the column and does not lock the table for a long time or result in rewriting all rows. Compared to other tables this one is quite small 👍

[n1ru4l]

Shouldn't the default org be the oidc org if the user is logged in via that provider?