fix(server): user can not signup through oauth if ever invited (#6101)

packages/backend/server/migrations/20240313033631_user_registered_flag/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "registered" BOOLEAN NOT NULL DEFAULT true;

packages/backend/server/schema.prisma

@@ -18,6 +18,9 @@ model User {
   createdAt       DateTime  @default(now()) @map("created_at") @db.Timestamptz(6)
   /// Not available if user signed up through OAuth providers
   password        String?   @db.VarChar
+  /// Indicate whether the user finished the signup progress.
+  /// for example, the value will be false if user never registered and invited into a workspace by others.
+  registered      Boolean   @default(true)
 
   features             UserFeatures[]
   customer             UserStripeCustomer?

packages/backend/server/src/core/auth/controller.ts

@@ -152,8 +152,9 @@ export class AuthController {
       throw new BadRequestException('Invalid Sign-in mail Token');
     }
 
-    const user = await this.user.findOrCreateUser(email, {
+    const user = await this.user.fulfillUser(email, {
       emailVerifiedAt: new Date(),
+      registered: true,
     });
 
     await this.auth.setCookie(req, res, user);

packages/backend/server/src/core/auth/current-user.ts

@@ -49,7 +49,7 @@ export const CurrentUser = createParamDecorator(
 );
 
 export interface CurrentUser
-  extends Omit<User, 'password' | 'createdAt' | 'emailVerifiedAt'> {
+  extends Pick<User, 'id' | 'email' | 'avatarUrl' | 'name'> {
   hasPassword: boolean | null;
   emailVerified: boolean;
 }

packages/backend/server/src/core/auth/service.ts

@@ -36,12 +36,18 @@ export function parseAuthUserSeqNum(value: any) {
 }
 
 export function sessionUser(
-  user: Omit<User, 'password'> & { password?: string | null }
+  user: Pick<
+    User,
+    'id' | 'email' | 'avatarUrl' | 'name' | 'emailVerifiedAt'
+  > & { password?: string | null }
 ): CurrentUser {
-  return assign(omit(user, 'password', 'emailVerifiedAt', 'createdAt'), {
-    hasPassword: user.password !== null,
-    emailVerified: user.emailVerifiedAt !== null,
-  });
+  return assign(
+    omit(user, 'password', 'registered', 'emailVerifiedAt', 'createdAt'),
+    {
+      hasPassword: user.password !== null,
+      emailVerified: user.emailVerifiedAt !== null,
+    }
+  );
 }
 
 @Injectable()

packages/backend/server/src/core/user/management.ts

@@ -42,7 +42,9 @@ export class UserManagementResolver {
     if (user) {
       return this.feature.addEarlyAccess(user.id);
     } else {
-      const user = await this.users.createAnonymousUser(email);
+      const user = await this.users.createAnonymousUser(email, {
+        registered: false,
+      });
       return this.feature.addEarlyAccess(user.id);
     }
   }

packages/backend/server/src/core/user/service.ts

@@ -11,11 +11,12 @@ export class UserService {
     email: true,
     emailVerifiedAt: true,
     avatarUrl: true,
+    registered: true,
   } satisfies Prisma.UserSelect;
 
   constructor(private readonly prisma: PrismaClient) {}
 
-  get userCreatingData(): Partial<Prisma.UserCreateInput> {
+  get userCreatingData() {
     return {
       name: 'Unnamed',
       features: {
@@ -106,6 +107,26 @@ export class UserService {
     return this.createAnonymousUser(email, data);
   }
 
+  async fulfillUser(
+    email: string,
+    data: Partial<
+      Pick<Prisma.UserCreateInput, 'emailVerifiedAt' | 'registered'>
+    >
+  ) {
+    return this.prisma.user.upsert({
+      select: this.defaultUserSelect,
+      where: {
+        email,
+      },
+      update: data,
+      create: {
+        email,
+        ...this.userCreatingData,
+        ...data,
+      },
+    });
+  }
+
   async deleteUser(id: string) {
     return this.prisma.user.delete({ where: { id } });
   }

packages/backend/server/src/core/workspaces/resolvers/workspace.ts

@@ -358,7 +358,9 @@ export class WorkspaceResolver {
       // only invite if the user is not already in the workspace
       if (originRecord) return originRecord.id;
     } else {
-      target = await this.users.createAnonymousUser(email);
+      target = await this.users.createAnonymousUser(email, {
+        registered: false,
+      });
     }
 
     const inviteId = await this.permissions.grant(

packages/backend/server/src/plugins/oauth/controller.ts

@@ -153,9 +153,17 @@ export class OAuthController {
     if (user) {
       // we can't directly connect the external account with given email in sign in scenario for safety concern.
       // let user manually connect in account sessions instead.
-      throw new BadRequestException(
-        'The account with provided email is not register in the same way.'
-      );
+      if (user.registered) {
+        throw new BadRequestException(
+          'The account with provided email is not register in the same way.'
+        );
+      }
+
+      await this.user.fulfillUser(externalAccount.email, {
+        registered: true,
+      });
+
+      return user;
     } else {
       user = await this.createUserWithConnectedAccount(
         provider,