feat(oauth2): override user info on provider sign-in (#2148)

* feat(oauth2): override user info on provider sign-in

* improve email verification handling

* resolve mrge

* fix(sso): update overrideUserInfo handling to use provider configuration

* fix param

Author: Bekacru

packages/better-auth/src/oauth2/link-account.ts

@@ -11,11 +11,13 @@ export async function handleOAuthUserInfo(
 		account,
 		callbackURL,
 		disableSignUp,
+		overrideUserInfo,
 	}: {
 		userInfo: Omit<User, "createdAt" | "updatedAt">;
 		account: Omit<Account, "id" | "userId" | "createdAt" | "updatedAt">;
 		callbackURL?: string;
 		disableSignUp?: boolean;
+		overrideUserInfo?: boolean;
 	},
 ) {
 	const dbUser = await c.context.internalAdapter
@@ -102,6 +104,17 @@ export async function handleOAuthUserInfo(
 				);
 			}
 		}
+		if (overrideUserInfo) {
+			// update user info from the provider if overrideUserInfo is true
+			await c.context.internalAdapter.updateUser(dbUser.user.id, {
+				...userInfo,
+				email: userInfo.email.toLowerCase(),
+				emailVerified:
+					userInfo.email.toLocaleLowerCase() === dbUser.user.email
+						? dbUser.user.emailVerified || userInfo.emailVerified
+						: userInfo.emailVerified,
+			});
+		}
 	} else {
 		if (disableSignUp) {
 			return {

packages/better-auth/src/oauth2/types.ts

@@ -176,4 +176,11 @@ export type ProviderOptions<Profile extends Record<string, any> = any> = {
 	 * The response mode to use for the authorization code request
 	 */
 	responseMode?: "query" | "form_post";
+	/**
+	 * If enabled, the user info will be overridden with the provider user info
+	 * This is useful if you want to use the provider user info to update the user info
+	 *
+	 * @default false
+	 */
+	overrideUserInfoOnSignIn?: boolean;
 };

packages/better-auth/src/plugins/generic-oauth/index.ts

@@ -127,6 +127,14 @@ interface GenericOAuthConfig {
 	 * @default "post"
 	 */
 	authentication?: "basic" | "post";
+	/**
+	 * Override user info with the provider info.
+	 *
+	 * This will update the user info with the provider info,
+	 * when the user signs in with the provider.
+	 * @default false
+	 */
+	overrideUserInfo?: boolean;
 }
 
 interface GenericOAuthOptions {
@@ -681,6 +689,7 @@ export const genericOAuth = (options: GenericOAuthOptions) => {
 						disableSignUp:
 							(provider.disableImplicitSignUp && !requestSignUp) ||
 							provider.disableSignUp,
+						overrideUserInfo: provider.overrideUserInfo,
 					});
 
 					if (result.error) {

packages/better-auth/src/plugins/sso/index.ts

@@ -63,9 +63,14 @@ interface SSOOptions {
 	};
 	/**
 	 * Disable implicit sign up for new users. When set to true for the provider,
-	 * sign-in need to be calle dwith with requestSignUp as true to create new users.
+	 * sign-in need to be called with with requestSignUp as true to create new users.
 	 */
 	disableImplicitSignUp?: boolean;
+	/**
+	 * Override user info with the provider info.
+	 * @default false
+	 */
+	defaultOverrideUserInfo?: boolean;
 }
 
 export const sso = (options?: SSOOptions) => {
@@ -166,6 +171,13 @@ export const sso = (options?: SSOOptions) => {
 									"If organization plugin is enabled, the organization id to link the provider to",
 							})
 							.optional(),
+						overrideUserInfo: z
+							.boolean({
+								description:
+									"Override user info with the provider info. Defaults to false",
+							})
+							.default(false)
+							.optional(),
 					}),
 					use: [sessionMiddleware],
 					metadata: {
@@ -375,6 +387,10 @@ export const sso = (options?: SSOOptions) => {
 								mapping: body.mapping,
 								scopes: body.scopes,
 								userinfoEndpoint: body.userInfoEndpoint,
+								overrideUserInfo:
+									ctx.body.overrideUserInfo ||
+									options?.defaultOverrideUserInfo ||
+									false,
 							}),
 							organizationId: body.organizationId,
 							userId: ctx.context.session.user.id,
@@ -848,6 +864,7 @@ export const sso = (options?: SSOOptions) => {
 							scope: tokenResponse.scopes?.join(","),
 						},
 						disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
+						overrideUserInfo: config.overrideUserInfo,
 					});
 					if (linked.error) {
 						throw ctx.redirect(
@@ -978,6 +995,7 @@ interface OIDCConfig {
 	discoveryEndpoint: string;
 	userInfoEndpoint?: string;
 	scopes?: string[];
+	overrideUserInfo?: boolean;
 	tokenEndpoint?: string;
 	tokenEndpointAuthentication?: "client_secret_post" | "client_secret_basic";
 	jwksEndpoint?: string;