From 00dadac0a1ba07f1342f3798a6c7db12c049d764 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea@groombook.dev>
Date: Thu, 21 May 2026 22:24:48 +0000
Subject: [PATCH] fix(auth): add accountLinking trustedProviders for authentik
 (GRO-1509)

Betters Auth v1.5.6 link-account.mjs:22 rejects OAuth callbacks when the
genericOAuth provider is not in trustedProviders AND email_verified is
falsy. Adding authentik to trustedProviders bypasses this guard so OIDC
login works for TF-created users whose emails were never verified through
an authentik flow.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 src/lib/auth.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 209e9d6..9e78740 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -251,6 +251,10 @@ export async function initAuth(): Promise<void> {
         },
       },
       account: {
+        accountLinking: {
+          enabled: true,
+          trustedProviders: ["authentik"],
+        },
         storeStateStrategy: "cookie" as const,
       },
       emailAndPassword: {