fix(auth): add accountLinking trustedProviders for authentik (GRO-1509) #41

Closed

The Dogfather wants to merge 1 commits from flea-flicker/gro-1509-better-auth-account-not-linked into uat

pull from: flea-flicker/gro-1509-better-auth-account-not-linked

merge into: groombook:uat

groombook:main

groombook:promote/uat-to-main-gro-2586

groombook:uat

groombook:promote/GRO-2586-cors-to-uat

groombook:dev

groombook:feature/GRO-2586-cors-origin-reflection

groombook:frozen/gro-2425-uat-to-main

groombook:feature/GRO-2425-comma-split-cors-origin

groombook:gro-2381-agents-contributing

groombook:flea/uat-to-main-gro-2359-api

groombook:release/main-GRO-2342-api

groombook:release/main-GRO-2319-api

groombook:flea/promote-main-gro-2311

groombook:promote/GRO-2319-api-to-uat

groombook:feat/GRO-2319-portal-waitlist-surfacing

groombook:flea/promote-main-gro-2172

groombook:dev-to-uat-gro-2311

groombook:flea/gro-2311-seed-portal-statusbadge-appts

groombook:promote/gro-2172-pets-to-uat

groombook:fix/gro-2172-pet-extended-fields

groombook:uat-to-main-gro-2299

groombook:flea/promote-main-gro-2294

groombook:promote/dev-to-uat-gro-2299

groombook:gro-2299-redact-patch-settings

groombook:flea/promote-gro-2294-uat

groombook:flea/gro-2294-route-opt-hardening

groombook:flea/uat-to-main-gro-2157-frozen

groombook:promote/dev-to-uat-gro-2225

groombook:flea/gro-2157-navigation-export

groombook:flea/gro-2235-waitlist-duplicate-409

groombook:feat/gro-2225-uat-seed-route-cohort

groombook:flea/uat-to-main-gro-2234-api

groombook:flea/dev-to-uat-gro-2156

groombook:flea-flicker/gro-2234-portal-session-sliding-ttl

groombook:release/main-6120b96

groombook:flea/gro-2156-travel-buffer-reorder

groombook:release/main-eb92f99

groombook:fix/gro-2214-portal-waitlist-validation

groombook:fix/gro-2203-portal-pet-patch-uuid-validation

groombook:dev-to-uat-gro-2155

groombook:feat/gro-2155-route-optimize-endpoints-dev

groombook:fix/gro-2163-migrate-pre-dns-wait

groombook:fix/gro-2187-portal-photokey-hijack

groombook:dev-to-uat-gro-2154

groombook:feat/gro-2154-geocoding-endpoints-dev

groombook:flea-flicker/gro-2197-ci-api-gate

groombook:dev-to-uat-gro-2153

groombook:dev-to-uat-gro-2187

groombook:fix/gro-2187-portal-pets-patch

groombook:dev-to-uat-gro-2129

groombook:flea-flicker/gro-2123-cleanup-stale-seed-duplicate

groombook:dev-to-uat-gro-2123

groombook:flea-flicker/gro-2123-seed-advisory-lock

groombook:promote/dev-to-uat-gro-2100

groombook:flea/gro-2100-uat-groomer-pet-linkage

groombook:flea/gro-2062-owner-bypass-audit

groombook:flea/gro-2052-rbac-betterauth-user-autoprovision

groombook:dogfather/gro-2013-promote-uat

groombook:flea/gro-2013-owner-bypass-deployed-tree

groombook:flea/gro-2033-idempotent-pet-profile-migrations

groombook:fix/gro-2014-profile-summary-error-handling

groombook:flea/gro-2000-uat-password-source-doc

groombook:fix/gro-1999-uat-seed-extra-large

groombook:fix/gro-1983-seed-pnpm-baked

groombook:fix/GRO-1979-coat-type-pet-size-enum-fix

groombook:fleaflicker/GRO-1962-deterministic-testcoopper-rocky

groombook:flea/gro-1977-seed-idempotency

groombook:fix/GRO-1977-seed-credential-idempotency

groombook:promote/dev-to-uat-gro-1971

groombook:fix/gro-1971-coat-type-enum-missing-short

groombook:fix/GRO-1962-uat-seed-pet-medicalalerts

groombook:flea/GRO-1955-fix-uc-undefined-seed

groombook:fix/GRO-1909-migrate-corepack-offline

groombook:fix/GRO-1953-coat-type-short-missing

groombook:fleaflicker/gro-medical-alert-types-behavioral-skin

groombook:fleaflicker/gro-1921-uat-reset-full-seed

groombook:flea/GRO-1945-pets-visitcount-hotfix

groombook:fix/GRO-1935-uat-customer-client-seed

groombook:fix/GRO-1914-seed-typeof

groombook:feature/GRO-1898-extended-pet-profile-seed

groombook:seed/extended-profile-fields-gro-1898

groombook:fix/gro-1889-reset-demo-data-pnpm

groombook:promote/dev-to-uat-gro-1866

groombook:fix/gro-1866-qa-fixes

groombook:fix/gro-1866-sso-bridge

groombook:fix/gro-1850-pet-profile-migration

groombook:promote/dev-to-uat-gro-1790

groombook:flea-flicker/pet-profile-summary

groombook:ff/gro-1765-trigger-ci

groombook:promo/gro-1764-uat

groombook:ci/gro-1757-build

groombook:fix/gro-1757-sso-auto-provision

groombook:fix/gro-1754-uat-ci

groombook:fix/gro-1754-trigger-ci-v2

groombook:fix/gro-1752-factories-v2

groombook:fix/gro-1752-factories-only

groombook:fix/gro-1746-apply-uat-seed-to-root-src

groombook:fix/gro-1752-extended-pet-profile-fields

groombook:promo/gro-1749-uat

groombook:fix/gro-1749-uat-seed-sync

groombook:fix/gro-1743-uat-seed-data

groombook:fix/gro-1480-portal-pets-patch

groombook:fix/gro-1678-econnreset-robustness

groombook:fix/gro-1576-ci-provenance-false

groombook:fix/gro-1575-ci-provenance

groombook:fix/gro-1566-api-health-auth-bypass

groombook:fix/gro-1544-api-health-endpoint

groombook:fix/gro-1533-migration-0031-coat-type

groombook:fix/gro-1533-missing-migration-0032

groombook:fix/gro-1533-missing-migration-journal

groombook:revert/gro-1533-dockerfile-fix

groombook:fix/gro-1533-revert-dockefile-build-change

groombook:flea-flicker/gro-1531-seed-db-filter

groombook:fix/gro-1522-ci-images-node22

groombook:pr-44

groombook:flea-flicker/gro-1162-pet-buffer-time

groombook:fix/gro-1461-uat-playbook-auto-provision

groombook:flea-flicker/pet-profile-editor

groombook:fix/gro-1441-remove-duplicate-coat-props

groombook:fix/gro-1390-pets-test-mock-hoisting

groombook:fix/gro-1395-drizzle-orm-root-dep

groombook:gitea/migrate-workflows

groombook:flea-flicker/fix-gro-1370-ts-and-test-errors

groombook:fix/api/add-devdep-drizzle-orm-fix-vitest

groombook:pr-19

groombook:flea-flicker/uat-email-password-seed

groombook:fleaflicker/gro-1272-v2

groombook:fleaflicker/gro-1272-auto-provision-staff

groombook:add-renovate-config

groombook:flea-flicker/gro-1231-pnpm-workspace-dockerfile

groombook:fix/GRO-1202-rate-limit-override

groombook:fix/typescript-errors

groombook:flea-flicker/pet-profile-extended-fields

groombook:fix/uat-tester-oidc-sub

groombook:flea-flicker/fix-authprovider-mock-path

groombook:flea-flicker/auto-create-staff-oauth-users-v2

groombook:flea-flicker/auto-create-staff-oauth-users

groombook:docs/GRO-1099-uat-playbook-api

groombook:flea-flicker/fix-ci-install-deps-v2

groombook:flea-flicker/fix-ci-install-deps

Conversation 1 Commits 1 Files Changed 1

+4

The Dogfather commented 2026-05-21 22:22:28 +00:00

Member

Copy Link

Copy Source

No description provided.

The Dogfather added 1 commit 2026-05-21 22:22:29 +00:00

fix(auth): add accountLinking trustedProviders for authentik (GRO-1509) ... 10c33513eb

Betters Auth v1.5.6 link-account.mjs:22 rejects OAuth callbacks when the
genericOAuth provider is not in trustedProviders AND email_verified is
falsy. Adding authentik to trustedProviders bypasses this guard so OIDC
login works for TF-created users whose emails were never verified through
an authentik flow.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

The Dogfather closed this pull request 2026-05-21 22:24:42 +00:00

The Dogfather commented 2026-05-21 22:27:29 +00:00

Author

Member

Copy Link

Copy Source

Summary

• Adds accountLinking.enabled=true and accountLinking.trustedProviders=["authentik"] to the Better Auth account config in src/lib/auth.ts
• Bypasses the guard in Better Auth v1.5.6 link-account.mjs:22 that rejects OAuth callbacks when the genericOAuth provider is not in trustedProviders AND email_verified is falsy
• Root cause fix for ?error=account_not_linked on all OIDC logins on UAT

Test plan

• OIDC login with uat-groomer via the SSO button on UAT does NOT show ?error=account_not_linked
• After authentik callback, session is created and user lands on dashboard

cc @cpfarhood

## Summary - Adds `accountLinking.enabled=true` and `accountLinking.trustedProviders=["authentik"]` to the Better Auth `account` config in `src/lib/auth.ts` - Bypasses the guard in Better Auth v1.5.6 `link-account.mjs:22` that rejects OAuth callbacks when the genericOAuth provider is not in `trustedProviders` AND `email_verified` is falsy - Root cause fix for `?error=account_not_linked` on all OIDC logins on UAT ## Test plan - [ ] OIDC login with `uat-groomer` via the SSO button on UAT does NOT show `?error=account_not_linked` - [ ] After authentik callback, session is created and user lands on dashboard cc @cpfarhood

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/api#41