From d89f6ceedef001fb7ce653dc782976ee15847f14 Mon Sep 17 00:00:00 2001
From: Paulo Castellano <paulo@castellanos.llc>
Date: Mon, 4 May 2026 19:22:09 -0300
Subject: [PATCH 1/4] fix: let authenticated users connect Google/GitHub from
 Settings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Connect button on /settings/authentication pointed at the
auth.{provider}.redirect routes that live behind `guest` middleware,
so authenticated users were bounced to /app/home before reaching
Socialite. The OAuth callback also needed to handle two flows
(signup/login vs link to current user) but had no branch for the
second case — meaning a different-email GitHub account would have
been registered as a new user, logging the original session out.

Splits the flows by intent:

- New `app.authentication.connect-provider` route in the auth group,
  handled by the settings controller (where it sits next to
  disconnect-provider). Replaces the OAuth signup link as the
  Connect button's target.
- Auth callbacks moved out of the guest group (still one URL per
  provider, since OAuth apps only register one) and gain a single
  Auth::check() branch that calls connectToCurrentUser().
- connectToCurrentUser() rejects if the provider id already belongs
  to a different user; otherwise sets it on the current user and
  redirects back to settings with a flash message.
---
 .../App/Settings/AuthenticationController.php |  11 ++
 .../Controllers/Auth/GitHubController.php     |  23 +++
 .../Controllers/Auth/GoogleController.php     |  23 +++
 lang/en/settings.php                          |   2 +
 lang/es/settings.php                          |   2 +
 lang/pt-BR/settings.php                       |   2 +
 .../pages/settings/profile/Authentication.vue |  10 +-
 routes/app.php                                |   2 +
 routes/auth.php                               |  10 +-
 tests/Feature/Auth/ConnectProviderTest.php    | 175 ++++++++++++++++++
 10 files changed, 249 insertions(+), 11 deletions(-)
 create mode 100644 tests/Feature/Auth/ConnectProviderTest.php

diff --git a/app/Http/Controllers/App/Settings/AuthenticationController.php b/app/Http/Controllers/App/Settings/AuthenticationController.php
index e093d9a4..cb7d29be 100644
--- a/app/Http/Controllers/App/Settings/AuthenticationController.php
+++ b/app/Http/Controllers/App/Settings/AuthenticationController.php
@@ -14,6 +14,7 @@
 use Illuminate\Validation\Rule;
 use Inertia\Inertia;
 use Inertia\Response;
+use Laravel\Socialite\Facades\Socialite;
 
 class AuthenticationController extends Controller
 {
@@ -63,6 +64,16 @@ public function destroyOtherSessions(Request $request): RedirectResponse
         return back()->with('flash.success', __('settings.authentication.sessions.flash_logged_out'));
     }
 
+    public function connectProvider(string $provider): RedirectResponse
+    {
+        abort_unless(in_array($provider, self::PROVIDERS, true), 404);
+
+        return match ($provider) {
+            'google' => Socialite::driver('google-auth')->redirect(),
+            'github' => Socialite::driver('github')->scopes(['read:user', 'user:email'])->redirect(),
+        };
+    }
+
     public function disconnectProvider(Request $request, string $provider): RedirectResponse
     {
         abort_unless(in_array($provider, self::PROVIDERS, true), 404);
diff --git a/app/Http/Controllers/Auth/GitHubController.php b/app/Http/Controllers/Auth/GitHubController.php
index 05be8a6b..7e6e0014 100644
--- a/app/Http/Controllers/Auth/GitHubController.php
+++ b/app/Http/Controllers/Auth/GitHubController.php
@@ -35,6 +35,10 @@ public function callback(): RedirectResponse
             return redirect()->route('login');
         }
 
+        if (Auth::check()) {
+            return $this->connectToCurrentUser(Auth::user(), (string) $githubUser->getId());
+        }
+
         $user = User::where('github_id', (string) $githubUser->getId())
             ->when($githubUser->getEmail(), fn ($query, $email) => $query->orWhere('email', $email))
             ->first();
@@ -52,6 +56,25 @@ public function callback(): RedirectResponse
         return $this->registerNewUser($githubUser);
     }
 
+    private function connectToCurrentUser(User $user, string $githubId): RedirectResponse
+    {
+        $existing = User::where('github_id', $githubId)
+            ->where('id', '!=', $user->id)
+            ->first();
+
+        if ($existing) {
+            return redirect()->route('app.authentication.edit')
+                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => 'GitHub']));
+        }
+
+        if ($user->github_id !== $githubId) {
+            $user->update(['github_id' => $githubId]);
+        }
+
+        return redirect()->route('app.authentication.edit')
+            ->with('flash.success', __('settings.authentication.providers.flash_connected', ['provider' => 'GitHub']));
+    }
+
     private function loginExistingUser(User $user, string $githubId): RedirectResponse
     {
         if (! $user->github_id) {
diff --git a/app/Http/Controllers/Auth/GoogleController.php b/app/Http/Controllers/Auth/GoogleController.php
index 822b7a8e..ba69067e 100644
--- a/app/Http/Controllers/Auth/GoogleController.php
+++ b/app/Http/Controllers/Auth/GoogleController.php
@@ -33,6 +33,10 @@ public function callback(): RedirectResponse
             return redirect()->route('login');
         }
 
+        if (Auth::check()) {
+            return $this->connectToCurrentUser(Auth::user(), $googleUser->getId());
+        }
+
         $user = User::where('google_id', $googleUser->getId())
             ->orWhere('email', $googleUser->getEmail())
             ->first();
@@ -44,6 +48,25 @@ public function callback(): RedirectResponse
         return $this->registerNewUser($googleUser);
     }
 
+    private function connectToCurrentUser(User $user, string $googleId): RedirectResponse
+    {
+        $existing = User::where('google_id', $googleId)
+            ->where('id', '!=', $user->id)
+            ->first();
+
+        if ($existing) {
+            return redirect()->route('app.authentication.edit')
+                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => 'Google']));
+        }
+
+        if ($user->google_id !== $googleId) {
+            $user->update(['google_id' => $googleId]);
+        }
+
+        return redirect()->route('app.authentication.edit')
+            ->with('flash.success', __('settings.authentication.providers.flash_connected', ['provider' => 'Google']));
+    }
+
     private function loginExistingUser(User $user, string $googleId): RedirectResponse
     {
         if (! $user->google_id) {
diff --git a/lang/en/settings.php b/lang/en/settings.php
index b7996938..d9de6064 100644
--- a/lang/en/settings.php
+++ b/lang/en/settings.php
@@ -100,6 +100,8 @@
             'connect' => 'Connect',
             'disconnect' => 'Disconnect',
             'flash_disconnected' => ':provider disconnected successfully.',
+            'flash_connected' => ':provider connected successfully.',
+            'flash_already_linked' => 'That :provider account is already linked to another user.',
             'flash_cannot_disconnect' => 'You cannot disconnect your only sign-in method. Set a password or connect another provider first.',
         ],
     ],
diff --git a/lang/es/settings.php b/lang/es/settings.php
index 3de7dc26..86a1d58c 100644
--- a/lang/es/settings.php
+++ b/lang/es/settings.php
@@ -100,6 +100,8 @@
             'connect' => 'Conectar',
             'disconnect' => 'Desconectar',
             'flash_disconnected' => ':provider desconectada correctamente.',
+            'flash_connected' => ':provider conectada correctamente.',
+            'flash_already_linked' => 'Esa cuenta de :provider ya está vinculada a otro usuario.',
             'flash_cannot_disconnect' => 'No puedes desconectar tu único método de inicio de sesión. Define una contraseña o conecta otro proveedor primero.',
         ],
     ],
diff --git a/lang/pt-BR/settings.php b/lang/pt-BR/settings.php
index db2421cf..d735b1ae 100644
--- a/lang/pt-BR/settings.php
+++ b/lang/pt-BR/settings.php
@@ -100,6 +100,8 @@
             'connect' => 'Conectar',
             'disconnect' => 'Desconectar',
             'flash_disconnected' => ':provider desconectada com sucesso.',
+            'flash_connected' => ':provider conectada com sucesso.',
+            'flash_already_linked' => 'Essa conta do :provider já está vinculada a outro usuário.',
             'flash_cannot_disconnect' => 'Você não pode desconectar seu único método de login. Defina uma senha ou conecte outro provedor primeiro.',
         ],
     ],
diff --git a/resources/js/pages/settings/profile/Authentication.vue b/resources/js/pages/settings/profile/Authentication.vue
index a75f3822..60e7c30d 100644
--- a/resources/js/pages/settings/profile/Authentication.vue
+++ b/resources/js/pages/settings/profile/Authentication.vue
@@ -26,11 +26,9 @@ import { Separator } from '@/components/ui/separator';
 import AppLayout from '@/layouts/AppLayout.vue';
 import { isMobileDevice, parseBrowserName, parseOsName } from '@/lib/userAgent';
 import { settings as settingsHub } from '@/routes/app';
-import { edit as editAuthentication } from '@/routes/app/authentication';
+import { connectProvider, edit as editAuthentication } from '@/routes/app/authentication';
 import { preferences as notificationPreferences } from '@/routes/app/notifications';
 import { edit as editProfile } from '@/routes/app/profile';
-import { redirect as githubRedirect } from '@/routes/auth/github';
-import { redirect as googleRedirect } from '@/routes/auth/google';
 import type { BreadcrumbItem } from '@/types';
 
 type Session = {
@@ -66,10 +64,6 @@ const tabs = computed(() => [
     { name: 'notifications', label: trans('settings.nav.notifications'), href: notificationPreferences().url },
 ]);
 
-const providerRedirects: Record<ConnectedAccount['provider'], () => { url: string }> = {
-    google: googleRedirect,
-    github: githubRedirect,
-};
 
 const passwordHeading = computed(() =>
     props.hasPassword
@@ -335,7 +329,7 @@ const logoutDialogOpen = ref(false);
                             </Form>
                             <Link
                                 v-else-if="!account.connected"
-                                :href="providerRedirects[account.provider]().url"
+                                :href="connectProvider(account.provider).url"
                             >
                                 <Button
                                     variant="outline"
diff --git a/routes/app.php b/routes/app.php
index a9d0818e..85dbafc1 100644
--- a/routes/app.php
+++ b/routes/app.php
@@ -249,6 +249,8 @@
         ->name('app.authentication.update-password');
     Route::delete('settings/authentication/sessions', [AuthenticationController::class, 'destroyOtherSessions'])
         ->name('app.authentication.destroy-other-sessions');
+    Route::get('settings/authentication/providers/{provider}/connect', [AuthenticationController::class, 'connectProvider'])
+        ->name('app.authentication.connect-provider');
     Route::delete('settings/authentication/providers/{provider}', [AuthenticationController::class, 'disconnectProvider'])
         ->name('app.authentication.disconnect-provider');
 
diff --git a/routes/auth.php b/routes/auth.php
index 1b79eb45..3e25ba03 100644
--- a/routes/auth.php
+++ b/routes/auth.php
@@ -31,12 +31,16 @@
     Route::post('/reset-password', [NewPasswordController::class, 'store'])->name('password.store');
 
     Route::get('/auth/google/redirect', [GoogleController::class, 'redirect'])->name('auth.google.redirect');
-    Route::get('/auth/google/callback', [GoogleController::class, 'callback'])->name('auth.google.callback');
-
     Route::get('/auth/github/redirect', [GitHubController::class, 'redirect'])->name('auth.github.redirect');
-    Route::get('/auth/github/callback', [GitHubController::class, 'callback'])->name('auth.github.callback');
 });
 
+// Callbacks must be reachable by both guests (signup/login flow) and
+// authenticated users (connect-from-settings flow). Branching on
+// `Auth::check()` inside the callback is safe because the redirect that
+// initiated the round-trip enforces the right middleware.
+Route::get('/auth/google/callback', [GoogleController::class, 'callback'])->name('auth.google.callback');
+Route::get('/auth/github/callback', [GitHubController::class, 'callback'])->name('auth.github.callback');
+
 Route::middleware(['auth'])->group(function () {
     Route::get('/register/success', SignupSuccessController::class)->name('register.success');
 
diff --git a/tests/Feature/Auth/ConnectProviderTest.php b/tests/Feature/Auth/ConnectProviderTest.php
new file mode 100644
index 00000000..262b97b1
--- /dev/null
+++ b/tests/Feature/Auth/ConnectProviderTest.php
@@ -0,0 +1,175 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\User;
+use Laravel\Socialite\Facades\Socialite;
+use Laravel\Socialite\Two\User as SocialiteUser;
+
+test('authenticated user can hit the connect-provider route for github', function () {
+    $user = User::factory()->create();
+
+    $driver = Mockery::mock();
+    $driver->shouldReceive('scopes')->andReturnSelf();
+    $driver->shouldReceive('redirect')->andReturn(redirect('https://github.com/login/oauth/authorize'));
+    Socialite::shouldReceive('driver')->with('github')->andReturn($driver);
+
+    $this->actingAs($user)
+        ->get(route('app.authentication.connect-provider', 'github'))
+        ->assertRedirect('https://github.com/login/oauth/authorize');
+});
+
+test('authenticated user can hit the connect-provider route for google', function () {
+    $user = User::factory()->create();
+
+    $driver = Mockery::mock();
+    $driver->shouldReceive('redirect')->andReturn(redirect('https://accounts.google.com/o/oauth2/auth'));
+    Socialite::shouldReceive('driver')->with('google-auth')->andReturn($driver);
+
+    $this->actingAs($user)
+        ->get(route('app.authentication.connect-provider', 'google'))
+        ->assertRedirect('https://accounts.google.com/o/oauth2/auth');
+});
+
+test('connect-provider route rejects unknown provider', function () {
+    $user = User::factory()->create();
+
+    $this->actingAs($user)
+        ->get(route('app.authentication.connect-provider', 'twitter'))
+        ->assertNotFound();
+});
+
+test('connect-provider route requires authentication', function () {
+    $this->get(route('app.authentication.connect-provider', 'github'))
+        ->assertRedirect(route('login'));
+});
+
+test('authenticated callback connects github to the current user', function () {
+    $user = User::factory()->create([
+        'email' => 'me@example.com',
+        'google_id' => 'g-me',
+        'github_id' => null,
+    ]);
+
+    $socialiteUser = new SocialiteUser;
+    $socialiteUser->id = 'gh-me';
+    $socialiteUser->name = 'Me';
+    $socialiteUser->email = 'me@example.com';
+
+    Socialite::shouldReceive('driver')
+        ->with('github')
+        ->andReturn($driver = Mockery::mock());
+
+    $driver->shouldReceive('user')->andReturn($socialiteUser);
+
+    $this->actingAs($user)
+        ->get(route('auth.github.callback'))
+        ->assertRedirect(route('app.authentication.edit'))
+        ->assertSessionHas('flash.success');
+
+    expect($user->fresh()->github_id)->toBe('gh-me');
+});
+
+test('authenticated callback links github by current user, not by email', function () {
+    $user = User::factory()->create([
+        'email' => 'work@example.com',
+        'google_id' => 'g-me',
+        'github_id' => null,
+    ]);
+
+    $socialiteUser = new SocialiteUser;
+    $socialiteUser->id = 'gh-personal';
+    $socialiteUser->name = 'Me';
+    $socialiteUser->email = 'personal@example.com';
+
+    Socialite::shouldReceive('driver')
+        ->with('github')
+        ->andReturn($driver = Mockery::mock());
+
+    $driver->shouldReceive('user')->andReturn($socialiteUser);
+
+    $this->actingAs($user)
+        ->get(route('auth.github.callback'))
+        ->assertRedirect(route('app.authentication.edit'))
+        ->assertSessionHas('flash.success');
+
+    expect($user->fresh()->github_id)->toBe('gh-personal');
+    expect(User::where('email', 'personal@example.com')->exists())->toBeFalse();
+    $this->assertAuthenticatedAs($user);
+});
+
+test('authenticated callback rejects when github account is already linked to another user', function () {
+    User::factory()->create(['github_id' => 'gh-taken']);
+
+    $me = User::factory()->create(['email' => 'me@example.com', 'github_id' => null]);
+
+    $socialiteUser = new SocialiteUser;
+    $socialiteUser->id = 'gh-taken';
+    $socialiteUser->name = 'Me';
+    $socialiteUser->email = 'me@example.com';
+
+    Socialite::shouldReceive('driver')
+        ->with('github')
+        ->andReturn($driver = Mockery::mock());
+
+    $driver->shouldReceive('user')->andReturn($socialiteUser);
+
+    $this->actingAs($me)
+        ->get(route('auth.github.callback'))
+        ->assertRedirect(route('app.authentication.edit'))
+        ->assertSessionHas('flash.error');
+
+    expect($me->fresh()->github_id)->toBeNull();
+    $this->assertAuthenticatedAs($me);
+});
+
+test('authenticated callback connects google to the current user', function () {
+    $user = User::factory()->create([
+        'email' => 'me@example.com',
+        'github_id' => 'gh-me',
+        'google_id' => null,
+    ]);
+
+    $socialiteUser = new SocialiteUser;
+    $socialiteUser->id = 'g-me';
+    $socialiteUser->name = 'Me';
+    $socialiteUser->email = 'me@example.com';
+
+    Socialite::shouldReceive('driver')
+        ->with('google-auth')
+        ->andReturn($driver = Mockery::mock());
+
+    $driver->shouldReceive('user')->andReturn($socialiteUser);
+
+    $this->actingAs($user)
+        ->get(route('auth.google.callback'))
+        ->assertRedirect(route('app.authentication.edit'))
+        ->assertSessionHas('flash.success');
+
+    expect($user->fresh()->google_id)->toBe('g-me');
+});
+
+test('authenticated callback rejects when google account is already linked to another user', function () {
+    User::factory()->create(['google_id' => 'g-taken']);
+
+    $me = User::factory()->create(['email' => 'me@example.com', 'google_id' => null]);
+
+    $socialiteUser = new SocialiteUser;
+    $socialiteUser->id = 'g-taken';
+    $socialiteUser->name = 'Me';
+    $socialiteUser->email = 'me@example.com';
+
+    Socialite::shouldReceive('driver')
+        ->with('google-auth')
+        ->andReturn($driver = Mockery::mock());
+
+    $driver->shouldReceive('user')->andReturn($socialiteUser);
+
+    $this->actingAs($me)
+        ->get(route('auth.google.callback'))
+        ->assertRedirect(route('app.authentication.edit'))
+        ->assertSessionHas('flash.error');
+
+    expect($me->fresh()->google_id)->toBeNull();
+    $this->assertAuthenticatedAs($me);
+});

From 79f800f8589afee103d195dd6c352265aebcf5d4 Mon Sep 17 00:00:00 2001
From: Paulo Castellano <paulo@castellanos.llc>
Date: Mon, 4 May 2026 19:30:16 -0300
Subject: [PATCH 2/4] refactor: dedicated callback URL for
 connect-from-settings flow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Splits the OAuth connect flow off entirely from signup/login so each
route has a single responsibility.

- routes/auth.php returns to its original state — redirect + callback
  both back inside the `guest` group.
- routes/app.php gains a paired callback route at
  /settings/authentication/providers/{provider}/callback.
- AuthenticationController::connectProvider /
  connectProviderCallback override Socialite's redirectUrl so the
  round-trip stays on the connect-flow URL. The Auth::check() branch
  in the auth controllers is gone.

The OAuth apps in Google Cloud and GitHub Developer Settings need the
new callback URL registered alongside the existing one — documented in
.env.example.
---
 .env.example                                  | 10 ++-
 .../App/Settings/AuthenticationController.php | 50 +++++++++++-
 .../Controllers/Auth/GitHubController.php     | 23 ------
 .../Controllers/Auth/GoogleController.php     | 23 ------
 routes/app.php                                |  2 +
 routes/auth.php                               | 10 +--
 tests/Feature/Auth/ConnectProviderTest.php    | 78 +++++++++++--------
 7 files changed, 107 insertions(+), 89 deletions(-)

diff --git a/.env.example b/.env.example
index 4e38edbf..5ec0da26 100644
--- a/.env.example
+++ b/.env.example
@@ -123,7 +123,10 @@ THREADS_CLIENT_SECRET=
 THREADS_CLIENT_REDIRECT="${APP_URL}/accounts/threads/callback"
 
 # Google (https://console.cloud.google.com)
-# Used for YouTube social account connection AND Google login/signup
+# Used for YouTube social account connection AND Google login/signup.
+# Register BOTH callback URLs in the OAuth app's authorized redirect URIs:
+#   - ${APP_URL}/auth/google/callback                                   (signup/login)
+#   - ${APP_URL}/settings/authentication/providers/google/callback      (link from Settings)
 GOOGLE_AUTH_ENABLED=false
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
@@ -131,7 +134,10 @@ GOOGLE_CLIENT_REDIRECT="${APP_URL}/accounts/youtube/callback"
 GOOGLE_AUTH_CALLBACK="${APP_URL}/auth/google/callback"
 
 # GitHub (https://github.com/settings/developers)
-# Used for GitHub login/signup
+# Used for GitHub login/signup.
+# Register BOTH callback URLs in the OAuth app's authorized redirect URIs:
+#   - ${APP_URL}/auth/github/callback                                   (signup/login)
+#   - ${APP_URL}/settings/authentication/providers/github/callback      (link from Settings)
 GITHUB_AUTH_ENABLED=false
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
diff --git a/app/Http/Controllers/App/Settings/AuthenticationController.php b/app/Http/Controllers/App/Settings/AuthenticationController.php
index cb7d29be..7c74f22e 100644
--- a/app/Http/Controllers/App/Settings/AuthenticationController.php
+++ b/app/Http/Controllers/App/Settings/AuthenticationController.php
@@ -15,6 +15,7 @@
 use Inertia\Inertia;
 use Inertia\Response;
 use Laravel\Socialite\Facades\Socialite;
+use Laravel\Socialite\Two\AbstractProvider;
 
 class AuthenticationController extends Controller
 {
@@ -68,9 +69,54 @@ public function connectProvider(string $provider): RedirectResponse
     {
         abort_unless(in_array($provider, self::PROVIDERS, true), 404);
 
+        return $this->driver($provider)->redirect();
+    }
+
+    public function connectProviderCallback(Request $request, string $provider): RedirectResponse
+    {
+        abort_unless(in_array($provider, self::PROVIDERS, true), 404);
+
+        try {
+            $providerUser = $this->driver($provider)->user();
+        } catch (\Exception) {
+            return redirect()->route('app.authentication.edit')
+                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => ucfirst($provider)]));
+        }
+
+        $user = $request->user();
+        $column = "{$provider}_id";
+        $providerId = (string) $providerUser->getId();
+
+        $existing = User::where($column, $providerId)
+            ->where('id', '!=', $user->id)
+            ->first();
+
+        if ($existing) {
+            return redirect()->route('app.authentication.edit')
+                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => ucfirst($provider)]));
+        }
+
+        if ($user->{$column} !== $providerId) {
+            $user->update([$column => $providerId]);
+        }
+
+        return redirect()->route('app.authentication.edit')
+            ->with('flash.success', __('settings.authentication.providers.flash_connected', ['provider' => ucfirst($provider)]));
+    }
+
+    /**
+     * Build a Socialite driver for the connect flow with its dedicated
+     * callback URL. The signup/login flow uses the driver's default
+     * redirect URL configured in `config/services.php`; here we override
+     * so each flow round-trips through its own route.
+     */
+    private function driver(string $provider): AbstractProvider
+    {
+        $callback = route('app.authentication.connect-provider.callback', $provider);
+
         return match ($provider) {
-            'google' => Socialite::driver('google-auth')->redirect(),
-            'github' => Socialite::driver('github')->scopes(['read:user', 'user:email'])->redirect(),
+            'google' => Socialite::driver('google-auth')->redirectUrl($callback),
+            'github' => Socialite::driver('github')->scopes(['read:user', 'user:email'])->redirectUrl($callback),
         };
     }
 
diff --git a/app/Http/Controllers/Auth/GitHubController.php b/app/Http/Controllers/Auth/GitHubController.php
index 7e6e0014..05be8a6b 100644
--- a/app/Http/Controllers/Auth/GitHubController.php
+++ b/app/Http/Controllers/Auth/GitHubController.php
@@ -35,10 +35,6 @@ public function callback(): RedirectResponse
             return redirect()->route('login');
         }
 
-        if (Auth::check()) {
-            return $this->connectToCurrentUser(Auth::user(), (string) $githubUser->getId());
-        }
-
         $user = User::where('github_id', (string) $githubUser->getId())
             ->when($githubUser->getEmail(), fn ($query, $email) => $query->orWhere('email', $email))
             ->first();
@@ -56,25 +52,6 @@ public function callback(): RedirectResponse
         return $this->registerNewUser($githubUser);
     }
 
-    private function connectToCurrentUser(User $user, string $githubId): RedirectResponse
-    {
-        $existing = User::where('github_id', $githubId)
-            ->where('id', '!=', $user->id)
-            ->first();
-
-        if ($existing) {
-            return redirect()->route('app.authentication.edit')
-                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => 'GitHub']));
-        }
-
-        if ($user->github_id !== $githubId) {
-            $user->update(['github_id' => $githubId]);
-        }
-
-        return redirect()->route('app.authentication.edit')
-            ->with('flash.success', __('settings.authentication.providers.flash_connected', ['provider' => 'GitHub']));
-    }
-
     private function loginExistingUser(User $user, string $githubId): RedirectResponse
     {
         if (! $user->github_id) {
diff --git a/app/Http/Controllers/Auth/GoogleController.php b/app/Http/Controllers/Auth/GoogleController.php
index ba69067e..822b7a8e 100644
--- a/app/Http/Controllers/Auth/GoogleController.php
+++ b/app/Http/Controllers/Auth/GoogleController.php
@@ -33,10 +33,6 @@ public function callback(): RedirectResponse
             return redirect()->route('login');
         }
 
-        if (Auth::check()) {
-            return $this->connectToCurrentUser(Auth::user(), $googleUser->getId());
-        }
-
         $user = User::where('google_id', $googleUser->getId())
             ->orWhere('email', $googleUser->getEmail())
             ->first();
@@ -48,25 +44,6 @@ public function callback(): RedirectResponse
         return $this->registerNewUser($googleUser);
     }
 
-    private function connectToCurrentUser(User $user, string $googleId): RedirectResponse
-    {
-        $existing = User::where('google_id', $googleId)
-            ->where('id', '!=', $user->id)
-            ->first();
-
-        if ($existing) {
-            return redirect()->route('app.authentication.edit')
-                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => 'Google']));
-        }
-
-        if ($user->google_id !== $googleId) {
-            $user->update(['google_id' => $googleId]);
-        }
-
-        return redirect()->route('app.authentication.edit')
-            ->with('flash.success', __('settings.authentication.providers.flash_connected', ['provider' => 'Google']));
-    }
-
     private function loginExistingUser(User $user, string $googleId): RedirectResponse
     {
         if (! $user->google_id) {
diff --git a/routes/app.php b/routes/app.php
index 85dbafc1..1a1dad3d 100644
--- a/routes/app.php
+++ b/routes/app.php
@@ -251,6 +251,8 @@
         ->name('app.authentication.destroy-other-sessions');
     Route::get('settings/authentication/providers/{provider}/connect', [AuthenticationController::class, 'connectProvider'])
         ->name('app.authentication.connect-provider');
+    Route::get('settings/authentication/providers/{provider}/callback', [AuthenticationController::class, 'connectProviderCallback'])
+        ->name('app.authentication.connect-provider.callback');
     Route::delete('settings/authentication/providers/{provider}', [AuthenticationController::class, 'disconnectProvider'])
         ->name('app.authentication.disconnect-provider');
 
diff --git a/routes/auth.php b/routes/auth.php
index 3e25ba03..1b79eb45 100644
--- a/routes/auth.php
+++ b/routes/auth.php
@@ -31,16 +31,12 @@
     Route::post('/reset-password', [NewPasswordController::class, 'store'])->name('password.store');
 
     Route::get('/auth/google/redirect', [GoogleController::class, 'redirect'])->name('auth.google.redirect');
+    Route::get('/auth/google/callback', [GoogleController::class, 'callback'])->name('auth.google.callback');
+
     Route::get('/auth/github/redirect', [GitHubController::class, 'redirect'])->name('auth.github.redirect');
+    Route::get('/auth/github/callback', [GitHubController::class, 'callback'])->name('auth.github.callback');
 });
 
-// Callbacks must be reachable by both guests (signup/login flow) and
-// authenticated users (connect-from-settings flow). Branching on
-// `Auth::check()` inside the callback is safe because the redirect that
-// initiated the round-trip enforces the right middleware.
-Route::get('/auth/google/callback', [GoogleController::class, 'callback'])->name('auth.google.callback');
-Route::get('/auth/github/callback', [GitHubController::class, 'callback'])->name('auth.github.callback');
-
 Route::middleware(['auth'])->group(function () {
     Route::get('/register/success', SignupSuccessController::class)->name('register.success');
 
diff --git a/tests/Feature/Auth/ConnectProviderTest.php b/tests/Feature/Auth/ConnectProviderTest.php
index 262b97b1..00b0c3b1 100644
--- a/tests/Feature/Auth/ConnectProviderTest.php
+++ b/tests/Feature/Auth/ConnectProviderTest.php
@@ -4,13 +4,15 @@
 
 use App\Models\User;
 use Laravel\Socialite\Facades\Socialite;
+use Laravel\Socialite\Two\AbstractProvider;
 use Laravel\Socialite\Two\User as SocialiteUser;
 
 test('authenticated user can hit the connect-provider route for github', function () {
     $user = User::factory()->create();
 
-    $driver = Mockery::mock();
+    $driver = Mockery::mock(AbstractProvider::class);
     $driver->shouldReceive('scopes')->andReturnSelf();
+    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('redirect')->andReturn(redirect('https://github.com/login/oauth/authorize'));
     Socialite::shouldReceive('driver')->with('github')->andReturn($driver);
 
@@ -22,7 +24,8 @@
 test('authenticated user can hit the connect-provider route for google', function () {
     $user = User::factory()->create();
 
-    $driver = Mockery::mock();
+    $driver = Mockery::mock(AbstractProvider::class);
+    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('redirect')->andReturn(redirect('https://accounts.google.com/o/oauth2/auth'));
     Socialite::shouldReceive('driver')->with('google-auth')->andReturn($driver);
 
@@ -44,7 +47,7 @@
         ->assertRedirect(route('login'));
 });
 
-test('authenticated callback connects github to the current user', function () {
+test('connect-provider callback connects github to the current user', function () {
     $user = User::factory()->create([
         'email' => 'me@example.com',
         'google_id' => 'g-me',
@@ -56,21 +59,21 @@
     $socialiteUser->name = 'Me';
     $socialiteUser->email = 'me@example.com';
 
-    Socialite::shouldReceive('driver')
-        ->with('github')
-        ->andReturn($driver = Mockery::mock());
-
+    $driver = Mockery::mock(AbstractProvider::class);
+    $driver->shouldReceive('scopes')->andReturnSelf();
+    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
+    Socialite::shouldReceive('driver')->with('github')->andReturn($driver);
 
     $this->actingAs($user)
-        ->get(route('auth.github.callback'))
+        ->get(route('app.authentication.connect-provider.callback', 'github'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.success');
 
     expect($user->fresh()->github_id)->toBe('gh-me');
 });
 
-test('authenticated callback links github by current user, not by email', function () {
+test('connect-provider callback links github by current user, not by email', function () {
     $user = User::factory()->create([
         'email' => 'work@example.com',
         'google_id' => 'g-me',
@@ -82,14 +85,14 @@
     $socialiteUser->name = 'Me';
     $socialiteUser->email = 'personal@example.com';
 
-    Socialite::shouldReceive('driver')
-        ->with('github')
-        ->andReturn($driver = Mockery::mock());
-
+    $driver = Mockery::mock(AbstractProvider::class);
+    $driver->shouldReceive('scopes')->andReturnSelf();
+    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
+    Socialite::shouldReceive('driver')->with('github')->andReturn($driver);
 
     $this->actingAs($user)
-        ->get(route('auth.github.callback'))
+        ->get(route('app.authentication.connect-provider.callback', 'github'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.success');
 
@@ -98,7 +101,7 @@
     $this->assertAuthenticatedAs($user);
 });
 
-test('authenticated callback rejects when github account is already linked to another user', function () {
+test('connect-provider callback rejects when github account is already linked to another user', function () {
     User::factory()->create(['github_id' => 'gh-taken']);
 
     $me = User::factory()->create(['email' => 'me@example.com', 'github_id' => null]);
@@ -108,14 +111,14 @@
     $socialiteUser->name = 'Me';
     $socialiteUser->email = 'me@example.com';
 
-    Socialite::shouldReceive('driver')
-        ->with('github')
-        ->andReturn($driver = Mockery::mock());
-
+    $driver = Mockery::mock(AbstractProvider::class);
+    $driver->shouldReceive('scopes')->andReturnSelf();
+    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
+    Socialite::shouldReceive('driver')->with('github')->andReturn($driver);
 
     $this->actingAs($me)
-        ->get(route('auth.github.callback'))
+        ->get(route('app.authentication.connect-provider.callback', 'github'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.error');
 
@@ -123,7 +126,7 @@
     $this->assertAuthenticatedAs($me);
 });
 
-test('authenticated callback connects google to the current user', function () {
+test('connect-provider callback connects google to the current user', function () {
     $user = User::factory()->create([
         'email' => 'me@example.com',
         'github_id' => 'gh-me',
@@ -135,21 +138,20 @@
     $socialiteUser->name = 'Me';
     $socialiteUser->email = 'me@example.com';
 
-    Socialite::shouldReceive('driver')
-        ->with('google-auth')
-        ->andReturn($driver = Mockery::mock());
-
+    $driver = Mockery::mock(AbstractProvider::class);
+    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
+    Socialite::shouldReceive('driver')->with('google-auth')->andReturn($driver);
 
     $this->actingAs($user)
-        ->get(route('auth.google.callback'))
+        ->get(route('app.authentication.connect-provider.callback', 'google'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.success');
 
     expect($user->fresh()->google_id)->toBe('g-me');
 });
 
-test('authenticated callback rejects when google account is already linked to another user', function () {
+test('connect-provider callback rejects when google account is already linked to another user', function () {
     User::factory()->create(['google_id' => 'g-taken']);
 
     $me = User::factory()->create(['email' => 'me@example.com', 'google_id' => null]);
@@ -159,17 +161,29 @@
     $socialiteUser->name = 'Me';
     $socialiteUser->email = 'me@example.com';
 
-    Socialite::shouldReceive('driver')
-        ->with('google-auth')
-        ->andReturn($driver = Mockery::mock());
-
+    $driver = Mockery::mock(AbstractProvider::class);
+    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
+    Socialite::shouldReceive('driver')->with('google-auth')->andReturn($driver);
 
     $this->actingAs($me)
-        ->get(route('auth.google.callback'))
+        ->get(route('app.authentication.connect-provider.callback', 'google'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.error');
 
     expect($me->fresh()->google_id)->toBeNull();
     $this->assertAuthenticatedAs($me);
 });
+
+test('connect-provider callback rejects unknown provider', function () {
+    $user = User::factory()->create();
+
+    $this->actingAs($user)
+        ->get(route('app.authentication.connect-provider.callback', 'twitter'))
+        ->assertNotFound();
+});
+
+test('connect-provider callback requires authentication', function () {
+    $this->get(route('app.authentication.connect-provider.callback', 'github'))
+        ->assertRedirect(route('login'));
+});

From 6b7b12f1912625134fd58cf55df5d3bd8039e008 Mon Sep 17 00:00:00 2001
From: Paulo Castellano <paulo@castellanos.llc>
Date: Mon, 4 May 2026 19:33:41 -0300
Subject: [PATCH 3/4] fix: use real anchor for connect button so OAuth redirect
 leaves the SPA

---
 .../pages/settings/profile/Authentication.vue  | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/resources/js/pages/settings/profile/Authentication.vue b/resources/js/pages/settings/profile/Authentication.vue
index 60e7c30d..430e3a49 100644
--- a/resources/js/pages/settings/profile/Authentication.vue
+++ b/resources/js/pages/settings/profile/Authentication.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { Form, Head, Link } from '@inertiajs/vue3';
+import { Form, Head } from '@inertiajs/vue3';
 import { IconDeviceDesktop, IconDeviceMobile } from '@tabler/icons-vue';
 import { trans } from 'laravel-vue-i18n';
 import { computed, ref } from 'vue';
@@ -327,18 +327,16 @@ const logoutDialogOpen = ref(false);
                                     {{ $t('settings.authentication.providers.disconnect') }}
                                 </Button>
                             </Form>
-                            <Link
+                            <Button
                                 v-else-if="!account.connected"
+                                variant="outline"
+                                size="sm"
+                                as="a"
                                 :href="connectProvider(account.provider).url"
+                                :data-test="`connect-${account.provider}`"
                             >
-                                <Button
-                                    variant="outline"
-                                    size="sm"
-                                    :data-test="`connect-${account.provider}`"
-                                >
-                                    {{ $t('settings.authentication.providers.connect') }}
-                                </Button>
-                            </Link>
+                                {{ $t('settings.authentication.providers.connect') }}
+                            </Button>
                         </div>
                     </div>
                 </div>

From e3acd1bb4be568c8a1cb6e4a0b004d58505225e8 Mon Sep 17 00:00:00 2001
From: Paulo Castellano <paulo@castellanos.llc>
Date: Mon, 4 May 2026 19:42:13 -0300
Subject: [PATCH 4/4] revert: keep one OAuth callback URL per provider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Drops the dedicated /settings/authentication/providers/{provider}/callback
route added in the previous refactor — registering a second callback URL
in each OAuth app is more ops cost than the trade is worth.

Back to one callback URL per provider, with a small `Auth::check()`
branch in the auth controllers' callbacks. The check is safe because
the redirects that initiate the round-trip enforce the right
middleware (signup/login is `guest`-only, connect is `auth`-only),
so the auth state at callback time matches the flow's intent.
---
 .env.example                                  | 10 +---
 .../App/Settings/AuthenticationController.php | 50 +------------------
 .../Controllers/Auth/GitHubController.php     | 26 ++++++++++
 .../Controllers/Auth/GoogleController.php     | 26 ++++++++++
 routes/app.php                                |  2 -
 routes/auth.php                               | 10 ++--
 tests/Feature/Auth/ConnectProviderTest.php    | 43 ++++------------
 7 files changed, 73 insertions(+), 94 deletions(-)

diff --git a/.env.example b/.env.example
index 5ec0da26..4e38edbf 100644
--- a/.env.example
+++ b/.env.example
@@ -123,10 +123,7 @@ THREADS_CLIENT_SECRET=
 THREADS_CLIENT_REDIRECT="${APP_URL}/accounts/threads/callback"
 
 # Google (https://console.cloud.google.com)
-# Used for YouTube social account connection AND Google login/signup.
-# Register BOTH callback URLs in the OAuth app's authorized redirect URIs:
-#   - ${APP_URL}/auth/google/callback                                   (signup/login)
-#   - ${APP_URL}/settings/authentication/providers/google/callback      (link from Settings)
+# Used for YouTube social account connection AND Google login/signup
 GOOGLE_AUTH_ENABLED=false
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
@@ -134,10 +131,7 @@ GOOGLE_CLIENT_REDIRECT="${APP_URL}/accounts/youtube/callback"
 GOOGLE_AUTH_CALLBACK="${APP_URL}/auth/google/callback"
 
 # GitHub (https://github.com/settings/developers)
-# Used for GitHub login/signup.
-# Register BOTH callback URLs in the OAuth app's authorized redirect URIs:
-#   - ${APP_URL}/auth/github/callback                                   (signup/login)
-#   - ${APP_URL}/settings/authentication/providers/github/callback      (link from Settings)
+# Used for GitHub login/signup
 GITHUB_AUTH_ENABLED=false
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
diff --git a/app/Http/Controllers/App/Settings/AuthenticationController.php b/app/Http/Controllers/App/Settings/AuthenticationController.php
index 7c74f22e..cb7d29be 100644
--- a/app/Http/Controllers/App/Settings/AuthenticationController.php
+++ b/app/Http/Controllers/App/Settings/AuthenticationController.php
@@ -15,7 +15,6 @@
 use Inertia\Inertia;
 use Inertia\Response;
 use Laravel\Socialite\Facades\Socialite;
-use Laravel\Socialite\Two\AbstractProvider;
 
 class AuthenticationController extends Controller
 {
@@ -69,54 +68,9 @@ public function connectProvider(string $provider): RedirectResponse
     {
         abort_unless(in_array($provider, self::PROVIDERS, true), 404);
 
-        return $this->driver($provider)->redirect();
-    }
-
-    public function connectProviderCallback(Request $request, string $provider): RedirectResponse
-    {
-        abort_unless(in_array($provider, self::PROVIDERS, true), 404);
-
-        try {
-            $providerUser = $this->driver($provider)->user();
-        } catch (\Exception) {
-            return redirect()->route('app.authentication.edit')
-                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => ucfirst($provider)]));
-        }
-
-        $user = $request->user();
-        $column = "{$provider}_id";
-        $providerId = (string) $providerUser->getId();
-
-        $existing = User::where($column, $providerId)
-            ->where('id', '!=', $user->id)
-            ->first();
-
-        if ($existing) {
-            return redirect()->route('app.authentication.edit')
-                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => ucfirst($provider)]));
-        }
-
-        if ($user->{$column} !== $providerId) {
-            $user->update([$column => $providerId]);
-        }
-
-        return redirect()->route('app.authentication.edit')
-            ->with('flash.success', __('settings.authentication.providers.flash_connected', ['provider' => ucfirst($provider)]));
-    }
-
-    /**
-     * Build a Socialite driver for the connect flow with its dedicated
-     * callback URL. The signup/login flow uses the driver's default
-     * redirect URL configured in `config/services.php`; here we override
-     * so each flow round-trips through its own route.
-     */
-    private function driver(string $provider): AbstractProvider
-    {
-        $callback = route('app.authentication.connect-provider.callback', $provider);
-
         return match ($provider) {
-            'google' => Socialite::driver('google-auth')->redirectUrl($callback),
-            'github' => Socialite::driver('github')->scopes(['read:user', 'user:email'])->redirectUrl($callback),
+            'google' => Socialite::driver('google-auth')->redirect(),
+            'github' => Socialite::driver('github')->scopes(['read:user', 'user:email'])->redirect(),
         };
     }
 
diff --git a/app/Http/Controllers/Auth/GitHubController.php b/app/Http/Controllers/Auth/GitHubController.php
index 05be8a6b..3b3f09ba 100644
--- a/app/Http/Controllers/Auth/GitHubController.php
+++ b/app/Http/Controllers/Auth/GitHubController.php
@@ -35,6 +35,13 @@ public function callback(): RedirectResponse
             return redirect()->route('login');
         }
 
+        // The signup/login redirect is gated by the `guest` middleware and
+        // the connect-from-settings redirect by `auth`, so this is a safe
+        // signal for which flow we came from.
+        if (Auth::check()) {
+            return $this->connectToCurrentUser(Auth::user(), (string) $githubUser->getId());
+        }
+
         $user = User::where('github_id', (string) $githubUser->getId())
             ->when($githubUser->getEmail(), fn ($query, $email) => $query->orWhere('email', $email))
             ->first();
@@ -52,6 +59,25 @@ public function callback(): RedirectResponse
         return $this->registerNewUser($githubUser);
     }
 
+    private function connectToCurrentUser(User $user, string $githubId): RedirectResponse
+    {
+        $existing = User::where('github_id', $githubId)
+            ->where('id', '!=', $user->id)
+            ->first();
+
+        if ($existing) {
+            return redirect()->route('app.authentication.edit')
+                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => 'GitHub']));
+        }
+
+        if ($user->github_id !== $githubId) {
+            $user->update(['github_id' => $githubId]);
+        }
+
+        return redirect()->route('app.authentication.edit')
+            ->with('flash.success', __('settings.authentication.providers.flash_connected', ['provider' => 'GitHub']));
+    }
+
     private function loginExistingUser(User $user, string $githubId): RedirectResponse
     {
         if (! $user->github_id) {
diff --git a/app/Http/Controllers/Auth/GoogleController.php b/app/Http/Controllers/Auth/GoogleController.php
index 822b7a8e..f7e1b5da 100644
--- a/app/Http/Controllers/Auth/GoogleController.php
+++ b/app/Http/Controllers/Auth/GoogleController.php
@@ -33,6 +33,13 @@ public function callback(): RedirectResponse
             return redirect()->route('login');
         }
 
+        // The signup/login redirect is gated by the `guest` middleware and
+        // the connect-from-settings redirect by `auth`, so this is a safe
+        // signal for which flow we came from.
+        if (Auth::check()) {
+            return $this->connectToCurrentUser(Auth::user(), $googleUser->getId());
+        }
+
         $user = User::where('google_id', $googleUser->getId())
             ->orWhere('email', $googleUser->getEmail())
             ->first();
@@ -44,6 +51,25 @@ public function callback(): RedirectResponse
         return $this->registerNewUser($googleUser);
     }
 
+    private function connectToCurrentUser(User $user, string $googleId): RedirectResponse
+    {
+        $existing = User::where('google_id', $googleId)
+            ->where('id', '!=', $user->id)
+            ->first();
+
+        if ($existing) {
+            return redirect()->route('app.authentication.edit')
+                ->with('flash.error', __('settings.authentication.providers.flash_already_linked', ['provider' => 'Google']));
+        }
+
+        if ($user->google_id !== $googleId) {
+            $user->update(['google_id' => $googleId]);
+        }
+
+        return redirect()->route('app.authentication.edit')
+            ->with('flash.success', __('settings.authentication.providers.flash_connected', ['provider' => 'Google']));
+    }
+
     private function loginExistingUser(User $user, string $googleId): RedirectResponse
     {
         if (! $user->google_id) {
diff --git a/routes/app.php b/routes/app.php
index 1a1dad3d..85dbafc1 100644
--- a/routes/app.php
+++ b/routes/app.php
@@ -251,8 +251,6 @@
         ->name('app.authentication.destroy-other-sessions');
     Route::get('settings/authentication/providers/{provider}/connect', [AuthenticationController::class, 'connectProvider'])
         ->name('app.authentication.connect-provider');
-    Route::get('settings/authentication/providers/{provider}/callback', [AuthenticationController::class, 'connectProviderCallback'])
-        ->name('app.authentication.connect-provider.callback');
     Route::delete('settings/authentication/providers/{provider}', [AuthenticationController::class, 'disconnectProvider'])
         ->name('app.authentication.disconnect-provider');
 
diff --git a/routes/auth.php b/routes/auth.php
index 1b79eb45..da4e5de0 100644
--- a/routes/auth.php
+++ b/routes/auth.php
@@ -31,12 +31,16 @@
     Route::post('/reset-password', [NewPasswordController::class, 'store'])->name('password.store');
 
     Route::get('/auth/google/redirect', [GoogleController::class, 'redirect'])->name('auth.google.redirect');
-    Route::get('/auth/google/callback', [GoogleController::class, 'callback'])->name('auth.google.callback');
-
     Route::get('/auth/github/redirect', [GitHubController::class, 'redirect'])->name('auth.github.redirect');
-    Route::get('/auth/github/callback', [GitHubController::class, 'callback'])->name('auth.github.callback');
 });
 
+// Callbacks must be reachable by both guests (signup/login) and authenticated
+// users (connect-from-settings). The redirect routes that initiate the OAuth
+// round-trip enforce the right middleware, so the callback can safely branch
+// on `Auth::check()` to dispatch to the matching flow.
+Route::get('/auth/google/callback', [GoogleController::class, 'callback'])->name('auth.google.callback');
+Route::get('/auth/github/callback', [GitHubController::class, 'callback'])->name('auth.github.callback');
+
 Route::middleware(['auth'])->group(function () {
     Route::get('/register/success', SignupSuccessController::class)->name('register.success');
 
diff --git a/tests/Feature/Auth/ConnectProviderTest.php b/tests/Feature/Auth/ConnectProviderTest.php
index 00b0c3b1..6681b856 100644
--- a/tests/Feature/Auth/ConnectProviderTest.php
+++ b/tests/Feature/Auth/ConnectProviderTest.php
@@ -12,7 +12,6 @@
 
     $driver = Mockery::mock(AbstractProvider::class);
     $driver->shouldReceive('scopes')->andReturnSelf();
-    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('redirect')->andReturn(redirect('https://github.com/login/oauth/authorize'));
     Socialite::shouldReceive('driver')->with('github')->andReturn($driver);
 
@@ -25,7 +24,6 @@
     $user = User::factory()->create();
 
     $driver = Mockery::mock(AbstractProvider::class);
-    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('redirect')->andReturn(redirect('https://accounts.google.com/o/oauth2/auth'));
     Socialite::shouldReceive('driver')->with('google-auth')->andReturn($driver);
 
@@ -47,7 +45,7 @@
         ->assertRedirect(route('login'));
 });
 
-test('connect-provider callback connects github to the current user', function () {
+test('authenticated callback connects github to the current user', function () {
     $user = User::factory()->create([
         'email' => 'me@example.com',
         'google_id' => 'g-me',
@@ -60,20 +58,18 @@
     $socialiteUser->email = 'me@example.com';
 
     $driver = Mockery::mock(AbstractProvider::class);
-    $driver->shouldReceive('scopes')->andReturnSelf();
-    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
     Socialite::shouldReceive('driver')->with('github')->andReturn($driver);
 
     $this->actingAs($user)
-        ->get(route('app.authentication.connect-provider.callback', 'github'))
+        ->get(route('auth.github.callback'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.success');
 
     expect($user->fresh()->github_id)->toBe('gh-me');
 });
 
-test('connect-provider callback links github by current user, not by email', function () {
+test('authenticated callback links github by current user, not by email', function () {
     $user = User::factory()->create([
         'email' => 'work@example.com',
         'google_id' => 'g-me',
@@ -86,13 +82,11 @@
     $socialiteUser->email = 'personal@example.com';
 
     $driver = Mockery::mock(AbstractProvider::class);
-    $driver->shouldReceive('scopes')->andReturnSelf();
-    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
     Socialite::shouldReceive('driver')->with('github')->andReturn($driver);
 
     $this->actingAs($user)
-        ->get(route('app.authentication.connect-provider.callback', 'github'))
+        ->get(route('auth.github.callback'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.success');
 
@@ -101,7 +95,7 @@
     $this->assertAuthenticatedAs($user);
 });
 
-test('connect-provider callback rejects when github account is already linked to another user', function () {
+test('authenticated callback rejects when github account is already linked to another user', function () {
     User::factory()->create(['github_id' => 'gh-taken']);
 
     $me = User::factory()->create(['email' => 'me@example.com', 'github_id' => null]);
@@ -112,13 +106,11 @@
     $socialiteUser->email = 'me@example.com';
 
     $driver = Mockery::mock(AbstractProvider::class);
-    $driver->shouldReceive('scopes')->andReturnSelf();
-    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
     Socialite::shouldReceive('driver')->with('github')->andReturn($driver);
 
     $this->actingAs($me)
-        ->get(route('app.authentication.connect-provider.callback', 'github'))
+        ->get(route('auth.github.callback'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.error');
 
@@ -126,7 +118,7 @@
     $this->assertAuthenticatedAs($me);
 });
 
-test('connect-provider callback connects google to the current user', function () {
+test('authenticated callback connects google to the current user', function () {
     $user = User::factory()->create([
         'email' => 'me@example.com',
         'github_id' => 'gh-me',
@@ -139,19 +131,18 @@
     $socialiteUser->email = 'me@example.com';
 
     $driver = Mockery::mock(AbstractProvider::class);
-    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
     Socialite::shouldReceive('driver')->with('google-auth')->andReturn($driver);
 
     $this->actingAs($user)
-        ->get(route('app.authentication.connect-provider.callback', 'google'))
+        ->get(route('auth.google.callback'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.success');
 
     expect($user->fresh()->google_id)->toBe('g-me');
 });
 
-test('connect-provider callback rejects when google account is already linked to another user', function () {
+test('authenticated callback rejects when google account is already linked to another user', function () {
     User::factory()->create(['google_id' => 'g-taken']);
 
     $me = User::factory()->create(['email' => 'me@example.com', 'google_id' => null]);
@@ -162,28 +153,14 @@
     $socialiteUser->email = 'me@example.com';
 
     $driver = Mockery::mock(AbstractProvider::class);
-    $driver->shouldReceive('redirectUrl')->andReturnSelf();
     $driver->shouldReceive('user')->andReturn($socialiteUser);
     Socialite::shouldReceive('driver')->with('google-auth')->andReturn($driver);
 
     $this->actingAs($me)
-        ->get(route('app.authentication.connect-provider.callback', 'google'))
+        ->get(route('auth.google.callback'))
         ->assertRedirect(route('app.authentication.edit'))
         ->assertSessionHas('flash.error');
 
     expect($me->fresh()->google_id)->toBeNull();
     $this->assertAuthenticatedAs($me);
 });
-
-test('connect-provider callback rejects unknown provider', function () {
-    $user = User::factory()->create();
-
-    $this->actingAs($user)
-        ->get(route('app.authentication.connect-provider.callback', 'twitter'))
-        ->assertNotFound();
-});
-
-test('connect-provider callback requires authentication', function () {
-    $this->get(route('app.authentication.connect-provider.callback', 'github'))
-        ->assertRedirect(route('login'));
-});