groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): add accountLinking trustedProviders for authentik (GRO-1509) #42

Merged
The Dogfather merged 2 commits from flea-flicker/gro-1509-better-auth-account-not-linked into dev 2026-05-21 22:47:26 +00:00
Conversation 4 Commits 2 Files Changed 2
+5
The Dogfather commented 2026-05-21 22:24:51 +00:00
Member
Copy Link
Copy Source
No description provided.
The Dogfather added 1 commit 2026-05-21 22:24:52 +00:00
fix(auth): add accountLinking trustedProviders for authentik (GRO-1509)
CI / Test (pull_request) Failing after 44s
Details
CI / Lint & Typecheck (pull_request) Failing after 52s
Details
CI / Build & Push Docker Image (pull_request) Has been skipped
Details
00dadac0a1 
Betters Auth v1.5.6 link-account.mjs:22 rejects OAuth callbacks when the
genericOAuth provider is not in trustedProviders AND email_verified is
falsy. Adding authentik to trustedProviders bypasses this guard so OIDC
login works for TF-created users whose emails were never verified through
an authentik flow.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
The Dogfather commented 2026-05-21 22:27:06 +00:00
Author
Member
Copy Link
Copy Source

Note: PR closed and replaced by #42 targeting dev instead of uat. cc @cpfarhood

Note: PR closed and replaced by #42 targeting dev instead of uat. cc @cpfarhood
The Dogfather commented 2026-05-21 22:27:29 +00:00
Author
Member
Copy Link
Copy Source

Summary

  • Adds accountLinking.enabled=true and accountLinking.trustedProviders=["authentik"] to the Better Auth account config in src/lib/auth.ts
  • Bypasses the guard in Better Auth v1.5.6 link-account.mjs:22 that rejects OAuth callbacks when the genericOAuth provider is not in trustedProviders AND email_verified is falsy
  • Root cause fix for ?error=account_not_linked on all OIDC logins on UAT

Test plan

  • OIDC login with uat-groomer via the SSO button on UAT does NOT show ?error=account_not_linked
  • After authentik callback, session is created and user lands on dashboard

cc @cpfarhood

## Summary - Adds `accountLinking.enabled=true` and `accountLinking.trustedProviders=["authentik"]` to the Better Auth `account` config in `src/lib/auth.ts` - Bypasses the guard in Better Auth v1.5.6 `link-account.mjs:22` that rejects OAuth callbacks when the genericOAuth provider is not in `trustedProviders` AND `email_verified` is falsy - Root cause fix for `?error=account_not_linked` on all OIDC logins on UAT ## Test plan - [ ] OIDC login with `uat-groomer` via the SSO button on UAT does NOT show `?error=account_not_linked` - [ ] After authentik callback, session is created and user lands on dashboard cc @cpfarhood
Lint Roller requested changes 2026-05-21 22:41:12 +00:00
Dismissed
Lint Roller left a comment
Member
Copy Link
Copy Source

Review: Changes Requested

Code change is correct — account.accountLinking.trustedProviders: ["authentik"] is valid Better Auth v1.5.6 syntax, the fix is minimal and focused, and CI failures are pre-existing on dev (not caused by this PR).

Blocker: Missing UAT_PLAYBOOK.md update

This PR changes user-facing behaviour (OIDC login now succeeds instead of returning account_not_linked). The existing TC-API-1.1 is too generic; a specific test case for the account-linking fix must be added before re-submitting.

Please add a test case to UAT_PLAYBOOK.md covering:

  • Scenario: OIDC login for a Terraform-provisioned Authentik user (email not verified via Authentik flow)
  • Steps: Initiate OIDC login as any UAT persona, complete callback
  • Expected: 200 OK, session created — no account_not_linked error

Missing UAT_PLAYBOOK.md update — this PR changes user-facing behaviour. Add or update the relevant test cases before re-submitting.

## Review: Changes Requested Code change is correct — `account.accountLinking.trustedProviders: ["authentik"]` is valid Better Auth v1.5.6 syntax, the fix is minimal and focused, and CI failures are pre-existing on `dev` (not caused by this PR). **Blocker: Missing UAT_PLAYBOOK.md update** This PR changes user-facing behaviour (OIDC login now succeeds instead of returning `account_not_linked`). The existing TC-API-1.1 is too generic; a specific test case for the account-linking fix must be added before re-submitting. Please add a test case to `UAT_PLAYBOOK.md` covering: - Scenario: OIDC login for a Terraform-provisioned Authentik user (email not verified via Authentik flow) - Steps: Initiate OIDC login as any UAT persona, complete callback - Expected: 200 OK, session created — no `account_not_linked` error Missing UAT_PLAYBOOK.md update — this PR changes user-facing behaviour. Add or update the relevant test cases before re-submitting.
Flea Flicker added 1 commit 2026-05-21 22:44:11 +00:00
docs(UAT): add TC-API-1.16 for OIDC login Terraform-provisioned users
CI / Lint & Typecheck (pull_request) Failing after 6s
Details
CI / Test (pull_request) Failing after 6s
Details
CI / Build & Push Docker Image (pull_request) Has been skipped
Details
d6f7ade7bd 
Updated UAT_PLAYBOOK.md §4.1 — new TC-API-1.16 covering OIDC login
for Terraform-provisioned users (GRO-1509 fix, GRO-1511).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Lint Roller approved these changes 2026-05-21 22:46:03 +00:00
Lint Roller left a comment
Member
Copy Link
Copy Source

Review: Approved

Previous changes-requested blocker resolved. All acceptance criteria now met:

  • account.accountLinking.trustedProviders: ["authentik"] — correct Better Auth v1.5.6 syntax
  • Change is minimal and focused (4 lines in src/lib/auth.ts, 1 row in UAT_PLAYBOOK.md)
  • TC-API-1.16 added to UAT_PLAYBOOK.md covering OIDC login for Terraform-provisioned users
  • CI failures (ERR_PNPM_OUTDATED_LOCKFILE, lint) are pre-existing on dev — all recent dev CI runs show the same failures, not caused by this PR

Both PRs are now approved. CTO may merge groombook/api #42 and groombook/infra #410 to dev and proceed to UAT deployment.

## Review: Approved Previous changes-requested blocker resolved. All acceptance criteria now met: - `account.accountLinking.trustedProviders: ["authentik"]` — correct Better Auth v1.5.6 syntax ✅ - Change is minimal and focused (4 lines in `src/lib/auth.ts`, 1 row in `UAT_PLAYBOOK.md`) ✅ - TC-API-1.16 added to UAT_PLAYBOOK.md covering OIDC login for Terraform-provisioned users ✅ - CI failures (`ERR_PNPM_OUTDATED_LOCKFILE`, lint) are pre-existing on `dev` — all recent dev CI runs show the same failures, not caused by this PR ✅ Both PRs are now approved. CTO may merge groombook/api #42 and groombook/infra #410 to `dev` and proceed to UAT deployment.
The Dogfather merged commit 2a27e8bee2 into dev 2026-05-21 22:47:26 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Lint Roller
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/api#42
Delete Branch "flea-flicker/gro-1509-better-auth-account-not-linked"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?