while-basic
diff --git a/‎apps/backend/prisma/migrations/20250711232750_oauth_method/migration.sql‎
Lines changed: 81 additions & 0 deletions b/‎apps/backend/prisma/migrations/20250711232750_oauth_method/migration.sql‎
Lines changed: 81 additions & 0 deletions
diff --git a/‎apps/backend/prisma/schema.prisma‎
Lines changed: 18 additions & 33 deletions b/‎apps/backend/prisma/schema.prisma‎
Lines changed: 18 additions & 33 deletions
diff --git a/‎apps/backend/src/app/api/latest/auth/oauth/callback/[provider_id]/route.tsx‎
Lines changed: 38 additions & 18 deletions b/‎apps/backend/src/app/api/latest/auth/oauth/callback/[provider_id]/route.tsx‎
Lines changed: 38 additions & 18 deletions
diff --git a/‎apps/backend/src/app/api/latest/connected-accounts/[user_id]/[provider_id]/access-token/crud.tsx‎
Lines changed: 11 additions & 7 deletions b/‎apps/backend/src/app/api/latest/connected-accounts/[user_id]/[provider_id]/access-token/crud.tsx‎
Lines changed: 11 additions & 7 deletions
@@ -0,0 +1,81 @@
+/*
+  Warnings:
+
+  - A unique constraint covering the columns `[tenancyId,projectUserId,configOAuthProviderId]` on the table `OAuthAuthMethod` will be added. If there are existing duplicate values, this will fail.
+
+*/
+-- CreateIndex
+CREATE UNIQUE INDEX "OAuthAuthMethod_tenancyId_projectUserId_configOAuthProvider_key" ON "OAuthAuthMethod"("tenancyId", "projectUserId", "configOAuthProviderId");
+
+-- DropForeignKey
+ALTER TABLE "ConnectedAccount" DROP CONSTRAINT "ConnectedAccount_tenancyId_configOAuthProviderId_providerA_fkey";
+
+-- DropForeignKey
+ALTER TABLE "ConnectedAccount" DROP CONSTRAINT "ConnectedAccount_tenancyId_projectUserId_fkey";
+
+-- DropForeignKey
+ALTER TABLE "OAuthAccessToken" DROP CONSTRAINT "OAuthAccessToken_tenancyId_configOAuthProviderId_providerA_fkey";
+
+-- DropForeignKey
+ALTER TABLE "OAuthAuthMethod" DROP CONSTRAINT "OAuthAuthMethod_tenancyId_configOAuthProviderId_providerAc_fkey";
+
+-- DropForeignKey
+ALTER TABLE "OAuthToken" DROP CONSTRAINT "OAuthToken_tenancyId_configOAuthProviderId_providerAccount_fkey";
+
+-- AlterTable
+ALTER TABLE "ProjectUserOAuthAccount" DROP CONSTRAINT "ProjectUserOAuthAccount_pkey",
+ADD COLUMN     "allowConnectedAccounts" BOOLEAN NOT NULL DEFAULT true,
+ADD COLUMN     "allowSignIn" BOOLEAN NOT NULL DEFAULT true,
+ADD COLUMN     "id" UUID NOT NULL,
+ADD CONSTRAINT "ProjectUserOAuthAccount_pkey" PRIMARY KEY ("tenancyId", "id");
+
+
+-- AlterTable
+ALTER TABLE "OAuthAccessToken" ADD COLUMN "oauthAccountId" UUID;
+
+
+-- Update OAuthAccessToken.oauthAccountId with the corresponding ProjectUserOAuthAccount.id
+UPDATE "OAuthAccessToken" 
+SET "oauthAccountId" = "ProjectUserOAuthAccount"."id"
+FROM "ProjectUserOAuthAccount" 
+WHERE "OAuthAccessToken"."tenancyId" = "ProjectUserOAuthAccount"."tenancyId"
+  AND "OAuthAccessToken"."configOAuthProviderId" = "ProjectUserOAuthAccount"."configOAuthProviderId"
+  AND "OAuthAccessToken"."providerAccountId" = "ProjectUserOAuthAccount"."providerAccountId";
+
+-- AlterTable
+ALTER TABLE "OAuthAccessToken" DROP COLUMN "configOAuthProviderId", DROP COLUMN "providerAccountId";
+ALTER TABLE "OAuthAccessToken" ALTER COLUMN "oauthAccountId" SET NOT NULL;
+
+-- AlterTable
+ALTER TABLE "OAuthToken" ADD COLUMN "oauthAccountId" UUID;
+
+-- Update OAuthToken.oauthAccountId with the corresponding ProjectUserOAuthAccount.id
+UPDATE "OAuthToken" 
+SET "oauthAccountId" = "ProjectUserOAuthAccount"."id"
+FROM "ProjectUserOAuthAccount" 
+WHERE "OAuthToken"."tenancyId" = "ProjectUserOAuthAccount"."tenancyId"
+  AND "OAuthToken"."configOAuthProviderId" = "ProjectUserOAuthAccount"."configOAuthProviderId"
+  AND "OAuthToken"."providerAccountId" = "ProjectUserOAuthAccount"."providerAccountId";
+
+ALTER TABLE "OAuthToken" DROP COLUMN "configOAuthProviderId", DROP COLUMN "providerAccountId";
+ALTER TABLE "OAuthToken" ALTER COLUMN "oauthAccountId" SET NOT NULL;
+
+-- DropTable
+DROP TABLE "ConnectedAccount";
+
+-- CreateIndex
+CREATE UNIQUE INDEX "OAuthAuthMethod_tenancyId_configOAuthProviderId_projectUser_key" ON "OAuthAuthMethod"("tenancyId", "configOAuthProviderId", "projectUserId", "providerAccountId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ProjectUserOAuthAccount_tenancyId_configOAuthProviderId_pro_key" ON "ProjectUserOAuthAccount"("tenancyId", "configOAuthProviderId", "projectUserId", "providerAccountId");
+
+-- AddForeignKey
+ALTER TABLE "OAuthAuthMethod" ADD CONSTRAINT "OAuthAuthMethod_tenancyId_configOAuthProviderId_projectUse_fkey" FOREIGN KEY ("tenancyId", "configOAuthProviderId", "projectUserId", "providerAccountId") REFERENCES "ProjectUserOAuthAccount"("tenancyId", "configOAuthProviderId", "projectUserId", "providerAccountId") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "OAuthToken" ADD CONSTRAINT "OAuthToken_tenancyId_oauthAccountId_fkey" FOREIGN KEY ("tenancyId", "oauthAccountId") REFERENCES "ProjectUserOAuthAccount"("tenancyId", "id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "OAuthAccessToken" ADD CONSTRAINT "OAuthAccessToken_tenancyId_oauthAccountId_fkey" FOREIGN KEY ("tenancyId", "oauthAccountId") REFERENCES "ProjectUserOAuthAccount"("tenancyId", "id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+ALTER TABLE "ProjectUserOAuthAccount" ALTER COLUMN "projectUserId" DROP NOT NULL;
@@ -170,7 +170,6 @@ model ProjectUser {
   teamMembers              TeamMember[]
   contactChannels          ContactChannel[]
   authMethods              AuthMethod[]
-  connectedAccounts        ConnectedAccount[]
 
   // some backlinks for the unique constraints on some auth methods
   passwordAuthMethod         PasswordAuthMethod[]
@@ -196,8 +195,9 @@ model ProjectUser {
 // This should be renamed to "OAuthAccount" as it is not always bound to a user
 // When ever a user goes through the OAuth flow and gets an account ID from the OAuth provider, we store that here.
 model ProjectUserOAuthAccount {
-  tenancyId             String @db.Uuid
-  projectUserId         String @db.Uuid
+  id                    String  @default(uuid()) @db.Uuid
+  tenancyId             String  @db.Uuid
+  projectUserId         String? @db.Uuid
   configOAuthProviderId String
   providerAccountId     String
 
@@ -213,11 +213,13 @@ model ProjectUserOAuthAccount {
   oauthTokens      OAuthToken[]
   oauthAccessToken OAuthAccessToken[]
 
-  // At lease one of the authMethod or connectedAccount should be set.
-  connectedAccount ConnectedAccount?
-  oauthAuthMethod  OAuthAuthMethod?
+  // if allowSignIn is true, oauthAuthMethod must be set
+  oauthAuthMethod        OAuthAuthMethod?
+  allowConnectedAccounts Boolean          @default(true)
+  allowSignIn            Boolean          @default(true)
 
-  @@id([tenancyId, configOAuthProviderId, providerAccountId])
+  @@id([tenancyId, id])
+  @@unique([tenancyId, configOAuthProviderId, projectUserId, providerAccountId])
@@index([tenancyId, projectUserId])
 }
 
@@ -251,23 +253,6 @@ model ContactChannel {
@@unique([tenancyId, type, value, usedForAuth])
 }
 
-model ConnectedAccount {
-  tenancyId             String @db.Uuid
-  id                    String @default(uuid()) @db.Uuid
-  projectUserId         String @db.Uuid
-  configOAuthProviderId String
-  providerAccountId     String
-
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-
-  oauthAccount ProjectUserOAuthAccount @relation(fields: [tenancyId, configOAuthProviderId, providerAccountId], references: [tenancyId, configOAuthProviderId, providerAccountId])
-  projectUser  ProjectUser             @relation(fields: [tenancyId, projectUserId], references: [tenancyId, projectUserId], onDelete: Cascade)
-
-  @@id([tenancyId, id])
-  @@unique([tenancyId, configOAuthProviderId, providerAccountId])
-}
-
 model AuthMethod {
   tenancyId     String @db.Uuid
   id            String @default(uuid()) @db.Uuid
@@ -357,11 +342,13 @@ model OAuthAuthMethod {
   updatedAt DateTime @updatedAt
 
   authMethod   AuthMethod              @relation(fields: [tenancyId, authMethodId], references: [tenancyId, id], onDelete: Cascade)
-  oauthAccount ProjectUserOAuthAccount @relation(fields: [tenancyId, configOAuthProviderId, providerAccountId], references: [tenancyId, configOAuthProviderId, providerAccountId])
+  oauthAccount ProjectUserOAuthAccount @relation(fields: [tenancyId, configOAuthProviderId, projectUserId, providerAccountId], references: [tenancyId, configOAuthProviderId, projectUserId, providerAccountId])
   projectUser  ProjectUser             @relation(fields: [tenancyId, projectUserId], references: [tenancyId, projectUserId], onDelete: Cascade)
 
@@id([tenancyId, authMethodId])
@@unique([tenancyId, configOAuthProviderId, providerAccountId])
+  @@unique([tenancyId, projectUserId, configOAuthProviderId])
+  @@unique([tenancyId, configOAuthProviderId, projectUserId, providerAccountId])
 }
 
 enum StandardOAuthProviderType {
@@ -381,14 +368,13 @@ enum StandardOAuthProviderType {
 model OAuthToken {
   id String @id @default(uuid()) @db.Uuid
 
-  tenancyId             String @db.Uuid
-  configOAuthProviderId String
-  providerAccountId     String
+  tenancyId      String @db.Uuid
+  oauthAccountId String @db.Uuid
 
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
 
-  projectUserOAuthAccount ProjectUserOAuthAccount @relation(fields: [tenancyId, configOAuthProviderId, providerAccountId], references: [tenancyId, configOAuthProviderId, providerAccountId], onDelete: Cascade)
+  projectUserOAuthAccount ProjectUserOAuthAccount @relation(fields: [tenancyId, oauthAccountId], references: [tenancyId, id], onDelete: Cascade)
 
   refreshToken String
   scopes       String[]
@@ -398,14 +384,13 @@ model OAuthToken {
 model OAuthAccessToken {
   id String @id @default(uuid()) @db.Uuid
 
-  tenancyId             String @db.Uuid
-  configOAuthProviderId String
-  providerAccountId     String
+  tenancyId      String @db.Uuid
+  oauthAccountId String @db.Uuid
 
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
 
-  projectUserOAuthAccount ProjectUserOAuthAccount @relation(fields: [tenancyId, configOAuthProviderId, providerAccountId], references: [tenancyId, configOAuthProviderId, providerAccountId], onDelete: Cascade)
+  projectUserOAuthAccount ProjectUserOAuthAccount @relation(fields: [tenancyId, oauthAccountId], references: [tenancyId, id], onDelete: Cascade)
 
   accessToken String
   scopes      String[]
 
@@ -187,27 +187,25 @@ const handler = createSmartRouteHandler({
         }
       });
 
-      const storeTokens = async () => {
+      const storeTokens = async (oauthAccountId: string) => {
         if (tokenSet.refreshToken) {
           await prisma.oAuthToken.create({
             data: {
               tenancyId: outerInfo.tenancyId,
-              configOAuthProviderId: provider.id,
               refreshToken: tokenSet.refreshToken,
-              providerAccountId: userInfo.accountId,
               scopes: extractScopes(providerObj.scope + " " + providerScope),
+              oauthAccountId,
             }
           });
         }
 
         await prisma.oAuthAccessToken.create({
           data: {
             tenancyId: outerInfo.tenancyId,
-            configOAuthProviderId: provider.id,
             accessToken: tokenSet.accessToken,
-            providerAccountId: userInfo.accountId,
             scopes: extractScopes(providerObj.scope + " " + providerScope),
             expiresAt: tokenSet.accessTokenExpiredAt,
+            oauthAccountId,
           }
         });
       };
@@ -220,16 +218,21 @@ const handler = createSmartRouteHandler({
           {
             authenticateHandler: {
               handle: async () => {
-                const oldAccount = await prisma.projectUserOAuthAccount.findUnique({
+                const oldAccounts = await prisma.projectUserOAuthAccount.findMany({
                   where: {
-                    tenancyId_configOAuthProviderId_providerAccountId: {
-                      tenancyId: outerInfo.tenancyId,
-                      configOAuthProviderId: provider.id,
-                      providerAccountId: userInfo.accountId,
-                    },
+                    tenancyId: outerInfo.tenancyId,
+                    configOAuthProviderId: provider.id,
+                    providerAccountId: userInfo.accountId,
+                    allowSignIn: true,
                   },
                 });
 
+                if (oldAccounts.length > 1) {
+                  throw new StackAssertionError("Multiple accounts found for the same provider and account ID");
+                }
+
+                const oldAccount = oldAccounts[0] as (typeof oldAccounts)[number] | undefined;
+
                 // ========================== link account with user ==========================
                 if (type === "link") {
                   if (!projectUserId) {
@@ -241,19 +244,20 @@ const handler = createSmartRouteHandler({
                     if (oldAccount.projectUserId !== projectUserId) {
                       throw new KnownErrors.OAuthConnectionAlreadyConnectedToAnotherUser();
                     }
-                    await storeTokens();
+                    await storeTokens(oldAccount.id);
                   } else {
                     // ========================== connect account with user ==========================
-                    await createProjectUserOAuthAccount(prisma, {
+                    const newOAuthAccount = await createProjectUserOAuthAccount(prisma, {
                       tenancyId: outerInfo.tenancyId,
                       providerId: provider.id,
                       providerAccountId: userInfo.accountId,
                       email: userInfo.email,
                       projectUserId,
                     });
+
+                    await storeTokens(newOAuthAccount.id);
                   }
 
-                  await storeTokens();
                   return {
                     id: projectUserId,
                     newUser: false,
@@ -264,7 +268,7 @@ const handler = createSmartRouteHandler({
                   // ========================== sign in user ==========================
 
                   if (oldAccount) {
-                    await storeTokens();
+                    await storeTokens(oldAccount.id);
 
                     return {
                       id: oldAccount.projectUserId,
@@ -311,7 +315,7 @@ const handler = createSmartRouteHandler({
                           const existingUser = oldContactChannel.projectUser;
 
                           // First create the OAuth account
-                          await createProjectUserOAuthAccount(prisma, {
+                          const newOAuthAccount = await createProjectUserOAuthAccount(prisma, {
                             tenancyId: outerInfo.tenancyId,
                             providerId: provider.id,
                             providerAccountId: userInfo.accountId,
@@ -333,7 +337,7 @@ const handler = createSmartRouteHandler({
                             }
                           });
 
-                          await storeTokens();
+                          await storeTokens(newOAuthAccount.id);
                           return {
                             id: existingUser.projectUserId,
                             newUser: false,
@@ -367,7 +371,23 @@ const handler = createSmartRouteHandler({
                     },
                   });
 
-                  await storeTokens();
+                  const oauthAccount = await prisma.projectUserOAuthAccount.findUnique({
+                    where: {
+                      tenancyId_configOAuthProviderId_projectUserId_providerAccountId: {
+                        tenancyId: outerInfo.tenancyId,
+                        configOAuthProviderId: provider.id,
+                        providerAccountId: userInfo.accountId,
+                        projectUserId: newAccount.id,
+                      },
+                    },
+                  });
+
+                  if (!oauthAccount) {
+                    throw new StackAssertionError("OAuth account not found");
+                  }
+
+                  await storeTokens(oauthAccount.id);
+
                   return {
                     id: newAccount.id,
                     newUser: true,
 
@@ -4,7 +4,7 @@ import { TokenSet } from "@/oauth/providers/base";
 import { getPrismaClientForTenancy } from "@/prisma-client";
 import { createCrudHandlers } from "@/route-handlers/crud-handler";
 import { KnownErrors } from "@stackframe/stack-shared";
-import { connectedAccountAccessTokenCrud } from "@stackframe/stack-shared/dist/interface/crud/oauth";
+import { connectedAccountAccessTokenCrud } from "@stackframe/stack-shared/dist/interface/crud/connected-accounts";
 import { userIdOrMeSchema, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
 import { getEnvVariable } from "@stackframe/stack-shared/dist/utils/env";
 import { StackAssertionError, StatusError, captureError } from "@stackframe/stack-shared/dist/utils/errors";
@@ -43,16 +43,19 @@ export const connectedAccountAccessTokenCrudHandlers = createLazyProxy(() => cre
     const accessTokens = await prisma.oAuthAccessToken.findMany({
       where: {
         tenancyId: auth.tenancy.id,
-        configOAuthProviderId: params.provider_id,
         projectUserOAuthAccount: {
           projectUserId: params.user_id,
+          configOAuthProviderId: params.provider_id,
         },
         expiresAt: {
           // is at least 5 minutes in the future
           gt: new Date(Date.now() + 5 * 60 * 1000),
         },
         isValid: true,
       },
+      include: {
+        projectUserOAuthAccount: true,
+      },
     });
     const filteredTokens = accessTokens.filter((t) => {
       return extractScopes(data.scope || "").every((scope) => t.scopes.includes(scope));
@@ -79,12 +82,15 @@ export const connectedAccountAccessTokenCrudHandlers = createLazyProxy(() => cre
     const refreshTokens = await prisma.oAuthToken.findMany({
       where: {
         tenancyId: auth.tenancy.id,
-        configOAuthProviderId: params.provider_id,
         projectUserOAuthAccount: {
           projectUserId: params.user_id,
+          configOAuthProviderId: params.provider_id,
         },
         isValid: true,
       },
+      include: {
+        projectUserOAuthAccount: true,
+      },
     });
 
     const filteredRefreshTokens = refreshTokens.filter((t) => {
@@ -125,9 +131,8 @@ export const connectedAccountAccessTokenCrudHandlers = createLazyProxy(() => cre
         await prisma.oAuthAccessToken.create({
           data: {
             tenancyId: auth.tenancy.id,
-            configOAuthProviderId: params.provider_id,
             accessToken: tokenSet.accessToken,
-            providerAccountId: token.providerAccountId,
+            oauthAccountId: token.projectUserOAuthAccount.id,
             scopes: token.scopes,
             expiresAt: tokenSet.accessTokenExpiredAt
           }
@@ -143,9 +148,8 @@ export const connectedAccountAccessTokenCrudHandlers = createLazyProxy(() => cre
           await prisma.oAuthToken.create({
             data: {
               tenancyId: auth.tenancy.id,
-              configOAuthProviderId: params.provider_id,
               refreshToken: tokenSet.refreshToken,
-              providerAccountId: token.providerAccountId,
+              oauthAccountId: token.projectUserOAuthAccount.id,
               scopes: token.scopes,
             }
           });