fix: fix saml login for existing users (#1434)

teamhanko · Apr 17, 2024 · 7276db1 · 7276db1
1 parent 7901dd2
commit 7276db1
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/backend/ee/saml/handler.go b/backend/ee/saml/handler.go
@@ -214,7 +214,7 @@ func (handler *SamlHandler) linkAccount(c echo.Context, redirectTo *url.URL, sta
 	samlError = handler.persister.Transaction(func(tx *pop.Connection) error {
 		userdata := provider.GetUserData(assertionInfo)
 
-		linkResult, samlError := thirdparty.LinkAccount(tx, handler.config, handler.persister, userdata, state.Provider)
+		linkResult, samlError := thirdparty.LinkAccount(tx, handler.config, handler.persister, userdata, state.Provider, true)
 		if samlError != nil {
 			return samlError
 		}

diff --git a/backend/handler/thirdparty.go b/backend/handler/thirdparty.go
@@ -143,7 +143,7 @@ func (h *ThirdPartyHandler) Callback(c echo.Context) error {
 			return thirdparty.ErrorInvalidRequest("could not retrieve user data from provider").WithCause(terr)
 		}
 
-		linkingResult, terr := thirdparty.LinkAccount(tx, h.cfg, h.persister, userData, provider.Name())
+		linkingResult, terr := thirdparty.LinkAccount(tx, h.cfg, h.persister, userData, provider.Name(), false)
 		if terr != nil {
 			return terr
 		}

diff --git a/backend/thirdparty/linking.go b/backend/thirdparty/linking.go
@@ -19,7 +19,7 @@ const (
 	getIdentityFailure = "could not get identity"
 )
 
-func LinkAccount(tx *pop.Connection, cfg *config.Config, p persistence.Persister, userData *UserData, providerName string) (*AccountLinkingResult, error) {
+func LinkAccount(tx *pop.Connection, cfg *config.Config, p persistence.Persister, userData *UserData, providerName string, isSaml bool) (*AccountLinkingResult, error) {
 	if cfg.Emails.RequireVerification && !userData.Metadata.EmailVerified {
 		return nil, ErrorUnverifiedProviderEmail("third party provider email must be verified")
 	}
@@ -38,15 +38,15 @@ func LinkAccount(tx *pop.Connection, cfg *config.Config, p persistence.Persister
 		if user == nil {
 			return signUp(tx, cfg, p, userData, providerName)
 		} else {
-			return link(tx, cfg, p, userData, providerName, user)
+			return link(tx, cfg, p, userData, providerName, user, isSaml)
 		}
 	} else {
 		return signIn(tx, cfg, p, userData, identity)
 	}
 }
 
-func link(tx *pop.Connection, cfg *config.Config, p persistence.Persister, userData *UserData, providerName string, user *models.User) (*AccountLinkingResult, error) {
-	if !cfg.ThirdParty.Providers.Get(providerName).AllowLinking {
+func link(tx *pop.Connection, cfg *config.Config, p persistence.Persister, userData *UserData, providerName string, user *models.User, isSaml bool) (*AccountLinkingResult, error) {
+	if !isSaml && !cfg.ThirdParty.Providers.Get(providerName).AllowLinking {
 		return nil, ErrorUserConflict("third party account linking for existing user with same email disallowed")
 	}