Link OAuth accounts with different email from account email

Author: catarak

server/config/passport.js

@@ -96,39 +96,52 @@ passport.use(new GitHubStrategy({
 }, (req, accessToken, refreshToken, profile, done) => {
   User.findOne({ github: profile.id }, (findByGithubErr, existingUser) => {
     if (existingUser) {
+      if (req.user && req.user.email !== existingUser.email) {
+        done(new Error('GitHub account is already linked to another account.'));
+        return;
+      }
       done(null, existingUser);
       return;
     }
 
     const emails = getVerifiedEmails(profile.emails);
     const primaryEmail = getPrimaryEmail(profile.emails);
 
-    User.findByEmail(emails, (findByEmailErr, existingEmailUser) => {
-      if (existingEmailUser) {
-        existingEmailUser.email = existingEmailUser.email || primaryEmail;
-        existingEmailUser.github = profile.id;
-        existingEmailUser.username = existingEmailUser.username || profile.username;
-        existingEmailUser.tokens.push({ kind: 'github', accessToken });
-        existingEmailUser.name = existingEmailUser.name || profile.displayName;
-        existingEmailUser.verified = User.EmailConfirmation.Verified;
-        existingEmailUser.save(saveErr => done(null, existingEmailUser));
-      } else {
-        let { username } = profile;
-        User.findByUsername(username, { caseInsensitive: true }, (findByUsernameErr, existingUsernameUser) => {
-          if (existingUsernameUser) {
-            username = generateUniqueUsername(username);
-          }
-          const user = new User();
-          user.email = primaryEmail;
-          user.github = profile.id;
-          user.username = profile.username;
-          user.tokens.push({ kind: 'github', accessToken });
-          user.name = profile.displayName;
-          user.verified = User.EmailConfirmation.Verified;
-          user.save(saveErr => done(null, user));
-        });
+    if (req.user) {
+      if (!req.user.github) {
+        req.user.github = profile.id;
+        req.user.tokens.push({ kind: 'github', accessToken });
+        req.user.verified = User.EmailConfirmation.Verified;
       }
-    });
+      req.user.save(saveErr => done(null, req.user));
+    } else {
+      User.findByEmail(emails, (findByEmailErr, existingEmailUser) => {
+        if (existingEmailUser) {
+          existingEmailUser.email = existingEmailUser.email || primaryEmail;
+          existingEmailUser.github = profile.id;
+          existingEmailUser.username = existingEmailUser.username || profile.username;
+          existingEmailUser.tokens.push({ kind: 'github', accessToken });
+          existingEmailUser.name = existingEmailUser.name || profile.displayName;
+          existingEmailUser.verified = User.EmailConfirmation.Verified;
+          existingEmailUser.save(saveErr => done(null, existingEmailUser));
+        } else {
+          let { username } = profile;
+          User.findByUsername(username, { caseInsensitive: true }, (findByUsernameErr, existingUsernameUser) => {
+            if (existingUsernameUser) {
+              username = generateUniqueUsername(username);
+            }
+            const user = new User();
+            user.email = primaryEmail;
+            user.github = profile.id;
+            user.username = profile.username;
+            user.tokens.push({ kind: 'github', accessToken });
+            user.name = profile.displayName;
+            user.verified = User.EmailConfirmation.Verified;
+            user.save(saveErr => done(null, user));
+          });
+        }
+      });
+    }
   });
 }));
 
@@ -144,49 +157,62 @@ passport.use(new GoogleStrategy({
 }, (req, accessToken, refreshToken, profile, done) => {
   User.findOne({ google: profile._json.emails[0].value }, (findByGoogleErr, existingUser) => {
     if (existingUser) {
+      if (req.user && req.user.email !== existingUser.email) {
+        done(new Error('Google account is already linked to another account.'));
+        return;
+      }
       done(null, existingUser);
       return;
     }
 
     const primaryEmail = profile._json.emails[0].value;
 
-    User.findByEmail(primaryEmail, (findByEmailErr, existingEmailUser) => {
-      let username = profile._json.emails[0].value.split('@')[0];
-      User.findByUsername(username, { caseInsensitive: true }, (findByUsernameErr, existingUsernameUser) => {
-        if (existingUsernameUser) {
-          username = generateUniqueUsername(username);
-        }
-        // what if a username is already taken from the display name too?
-        // then, append a random friendly word?
-        if (existingEmailUser) {
-          existingEmailUser.email = existingEmailUser.email || primaryEmail;
-          existingEmailUser.google = profile._json.emails[0].value;
-          existingEmailUser.username = existingEmailUser.username || username;
-          existingEmailUser.tokens.push({ kind: 'google', accessToken });
-          existingEmailUser.name = existingEmailUser.name || profile._json.displayName;
-          existingEmailUser.verified = User.EmailConfirmation.Verified;
-          existingEmailUser.save((saveErr) => {
-            if (saveErr) {
-              console.log(saveErr);
-            }
-            done(null, existingEmailUser);
-          });
-        } else {
-          const user = new User();
-          user.email = primaryEmail;
-          user.google = profile._json.emails[0].value;
-          user.username = username;
-          user.tokens.push({ kind: 'google', accessToken });
-          user.name = profile._json.displayName;
-          user.verified = User.EmailConfirmation.Verified;
-          user.save((saveErr) => {
-            if (saveErr) {
-              console.log(saveErr);
-            }
-            done(null, user);
-          });
-        }
+    if (req.user) {
+      if (!req.user.google) {
+        req.user.google = profile._json.emails[0].value;
+        req.user.tokens.push({ kind: 'google', accessToken });
+        req.user.verified = User.EmailConfirmation.Verified;
+      }
+      req.user.save(saveErr => done(null, req.user));
+    } else {
+      User.findByEmail(primaryEmail, (findByEmailErr, existingEmailUser) => {
+        let username = profile._json.emails[0].value.split('@')[0];
+        User.findByUsername(username, { caseInsensitive: true }, (findByUsernameErr, existingUsernameUser) => {
+          if (existingUsernameUser) {
+            username = generateUniqueUsername(username);
+          }
+          // what if a username is already taken from the display name too?
+          // then, append a random friendly word?
+          if (existingEmailUser) {
+            existingEmailUser.email = existingEmailUser.email || primaryEmail;
+            existingEmailUser.google = profile._json.emails[0].value;
+            existingEmailUser.username = existingEmailUser.username || username;
+            existingEmailUser.tokens.push({ kind: 'google', accessToken });
+            existingEmailUser.name = existingEmailUser.name || profile._json.displayName;
+            existingEmailUser.verified = User.EmailConfirmation.Verified;
+            existingEmailUser.save((saveErr) => {
+              if (saveErr) {
+                console.log(saveErr);
+              }
+              done(null, existingEmailUser);
+            });
+          } else {
+            const user = new User();
+            user.email = primaryEmail;
+            user.google = profile._json.emails[0].value;
+            user.username = username;
+            user.tokens.push({ kind: 'google', accessToken });
+            user.name = profile._json.displayName;
+            user.verified = User.EmailConfirmation.Verified;
+            user.save((saveErr) => {
+              if (saveErr) {
+                console.log(saveErr);
+              }
+              done(null, user);
+            });
+          }
+        });
       });
-    });
+    }
   });
 }));