Merge pull request #13115 from dacook/oidc-record-not-unique

Catch error and provide message
2026-02-04 22:16:08 +00:00 · 2025-02-13 21:53:56 -06:00
parent 9f7405500a 13f5009563
commit dfe978520d
3 changed files with 22 additions and 1 deletions
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -2,8 +2,13 @@

 class OmniauthCallbacksController < Devise::OmniauthCallbacksController
  def openid_connect
-    OidcAccount.link(spree_current_user, request.env["omniauth.auth"])
+    ActiveRecord::Base.transaction do
+      OidcAccount.link(spree_current_user, request.env["omniauth.auth"])
+    end

+    redirect_to admin_oidc_settings_path
+  rescue ActiveRecord::RecordNotUnique
+    flash[:error] = t("devise.oidc.record_not_unique", uid: request.env["omniauth.auth"].uid)
    redirect_to admin_oidc_settings_path
  end

--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -321,6 +321,7 @@ en:
        send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
    oidc:
      failure: "Could not sign in: %{error}"
+      record_not_unique: "%{uid} is already associated with another account"
  home_page_alert_html: "Home page alert HTML"
  hub_signup_case_studies_html: "Hub signup case studies HTML"
  hub_signup_detail_html: "Hub signup detail HTML"
--- a/spec/requests/omniauth_callbacks_controller_spec.rb
+++ b/spec/requests/omniauth_callbacks_controller_spec.rb
@@ -35,6 +35,20 @@ RSpec.describe '/user/spree_user/auth/openid_connect/callback', type: :request d
      expect(account.uid).to eq "ofn@example.com"
      expect(response.status).to eq(302)
    end
+
+    context 'when OIDC account already linked with a different user' do
+      before do
+        create(:user, email: "ofn@elsewhere.com")
+          .create_oidc_account!(uid: "ofn@example.com")
+      end
+
+      it 'fails with error message' do
+        expect { request! }.not_to change { OidcAccount.count }
+
+        expect(response.status).to eq(302)
+        expect(flash[:error]).to match "ofn@example.com is already associated with another account"
+      end
+    end
  end

  context 'when the omniauth openid_connect is mocked with an error' do
@@ -46,6 +60,7 @@ RSpec.describe '/user/spree_user/auth/openid_connect/callback', type: :request d
      expect { request! }.not_to change { OidcAccount.count }

      expect(response.status).to eq(302)
+      expect(flash[:error]).to match "Could not sign in"
    end
  end
 end