diff --git a/backend/internal/handler/auth_linuxdo_oauth.go b/backend/internal/handler/auth_linuxdo_oauth.go
index c3a9041b..e0bee2f5 100644
--- a/backend/internal/handler/auth_linuxdo_oauth.go
+++ b/backend/internal/handler/auth_linuxdo_oauth.go
@@ -325,80 +325,18 @@ func (h *AuthHandler) LinuxDoOAuthCallback(c *gin.Context) {
redirectOAuthError(c, frontendCallback, "session_error", infraerrors.Reason(err), infraerrors.Message(err))
return
}
- if compatEmailUser != nil {
- if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
- Intent: "adopt_existing_user_by_email",
- Identity: identityKey,
- TargetUserID: &compatEmailUser.ID,
- ResolvedEmail: compatEmailUser.Email,
- RedirectTo: redirectTo,
- BrowserSessionKey: browserSessionKey,
- UpstreamIdentityClaims: upstreamClaims,
- CompletionResponse: map[string]any{
- "redirect": redirectTo,
- "step": "bind_login_required",
- "email": compatEmailUser.Email,
- },
- }); err != nil {
- redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
- return
- }
- redirectToFrontendCallback(c, frontendCallback)
- return
- }
-
- if h.isForceEmailOnThirdPartySignup(c.Request.Context()) {
- if err := h.createOAuthEmailRequiredPendingSession(c, identityKey, redirectTo, browserSessionKey, upstreamClaims); err != nil {
- redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
- return
- }
- redirectToFrontendCallback(c, frontendCallback)
- return
- }
-
- // 传入空邀请码;如果需要邀请码,服务层返回 ErrOAuthInvitationRequired
- tokenPair, user, err := h.authService.LoginOrRegisterOAuthWithTokenPair(c.Request.Context(), email, username, "")
- if err != nil {
- if errors.Is(err, service.ErrOAuthInvitationRequired) {
- if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
- Intent: "login",
- Identity: identityKey,
- ResolvedEmail: email,
- RedirectTo: redirectTo,
- BrowserSessionKey: browserSessionKey,
- UpstreamIdentityClaims: upstreamClaims,
- CompletionResponse: map[string]any{
- "error": "invitation_required",
- "redirect": redirectTo,
- },
- }); err != nil {
- redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
- return
- }
- redirectToFrontendCallback(c, frontendCallback)
- return
- }
- // 避免把内部细节泄露给客户端;给前端保留结构化原因与提示信息即可。
- redirectOAuthError(c, frontendCallback, "login_failed", infraerrors.Reason(err), infraerrors.Message(err))
- return
- }
-
- if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
- Intent: "login",
- Identity: identityKey,
- TargetUserID: &user.ID,
- ResolvedEmail: email,
- RedirectTo: redirectTo,
- BrowserSessionKey: browserSessionKey,
- UpstreamIdentityClaims: upstreamClaims,
- CompletionResponse: map[string]any{
- "access_token": tokenPair.AccessToken,
- "refresh_token": tokenPair.RefreshToken,
- "expires_in": tokenPair.ExpiresIn,
- "token_type": "Bearer",
- "redirect": redirectTo,
- },
- }); err != nil {
+ if err := h.createLinuxDoOAuthChoicePendingSession(
+ c,
+ identityKey,
+ email,
+ email,
+ redirectTo,
+ browserSessionKey,
+ upstreamClaims,
+ compatEmail,
+ compatEmailUser,
+ h.isForceEmailOnThirdPartySignup(c.Request.Context()),
+ ); err != nil {
redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
return
}
@@ -431,6 +369,62 @@ func (h *AuthHandler) findLinuxDoCompatEmailUser(ctx context.Context, email stri
return userEntity, nil
}
+func (h *AuthHandler) createLinuxDoOAuthChoicePendingSession(
+ c *gin.Context,
+ identity service.PendingAuthIdentityKey,
+ suggestedEmail string,
+ resolvedEmail string,
+ redirectTo string,
+ browserSessionKey string,
+ upstreamClaims map[string]any,
+ compatEmail string,
+ compatEmailUser *dbent.User,
+ forceEmailOnSignup bool,
+) error {
+ suggestionEmail := strings.TrimSpace(suggestedEmail)
+ canonicalEmail := strings.TrimSpace(resolvedEmail)
+ if suggestionEmail == "" {
+ suggestionEmail = canonicalEmail
+ }
+
+ completionResponse := map[string]any{
+ "step": oauthPendingChoiceStep,
+ "adoption_required": true,
+ "redirect": strings.TrimSpace(redirectTo),
+ "email": suggestionEmail,
+ "resolved_email": canonicalEmail,
+ "existing_account_email": "",
+ "existing_account_bindable": false,
+ "create_account_allowed": true,
+ "force_email_on_signup": forceEmailOnSignup,
+ "choice_reason": "third_party_signup",
+ }
+ if strings.TrimSpace(compatEmail) != "" {
+ completionResponse["compat_email"] = strings.TrimSpace(compatEmail)
+ }
+ resolvedChoiceEmail := suggestionEmail
+ if compatEmailUser != nil {
+ completionResponse["email"] = strings.TrimSpace(compatEmailUser.Email)
+ completionResponse["existing_account_email"] = strings.TrimSpace(compatEmailUser.Email)
+ completionResponse["existing_account_bindable"] = true
+ completionResponse["choice_reason"] = "compat_email_match"
+ resolvedChoiceEmail = strings.TrimSpace(compatEmailUser.Email)
+ }
+ if forceEmailOnSignup && compatEmailUser == nil {
+ completionResponse["choice_reason"] = "force_email_on_signup"
+ }
+
+ return h.createOAuthPendingSession(c, oauthPendingSessionPayload{
+ Intent: oauthIntentLogin,
+ Identity: identity,
+ ResolvedEmail: resolvedChoiceEmail,
+ RedirectTo: redirectTo,
+ BrowserSessionKey: browserSessionKey,
+ UpstreamIdentityClaims: upstreamClaims,
+ CompletionResponse: completionResponse,
+ })
+}
+
type completeLinuxDoOAuthRequest struct {
InvitationCode string `json:"invitation_code" binding:"required"`
AdoptDisplayName *bool `json:"adopt_display_name,omitempty"`
diff --git a/backend/internal/handler/auth_oauth_pending_flow.go b/backend/internal/handler/auth_oauth_pending_flow.go
index 8a3006f3..b98d4d33 100644
--- a/backend/internal/handler/auth_oauth_pending_flow.go
+++ b/backend/internal/handler/auth_oauth_pending_flow.go
@@ -32,6 +32,7 @@ const (
oauthPendingSessionCookiePath = "/api/v1/auth/oauth"
oauthPendingSessionCookieName = "oauth_pending_session"
oauthPendingCookieMaxAgeSec = 10 * 60
+ oauthPendingChoiceStep = "choose_account_action_required"
oauthCompletionResponseKey = "completion_response"
)
@@ -431,8 +432,9 @@ func (h *AuthHandler) createOAuthEmailRequiredPendingSession(
BrowserSessionKey: browserSessionKey,
UpstreamIdentityClaims: upstreamClaims,
CompletionResponse: map[string]any{
- "redirect": redirectTo,
- "step": "email_required",
+ "redirect": strings.TrimSpace(redirectTo),
+ "step": oauthPendingChoiceStep,
+ "adoption_required": true,
"force_email_on_signup": true,
"email_binding_required": true,
"existing_account_bindable": true,
@@ -492,7 +494,7 @@ func (h *AuthHandler) SendPendingOAuthVerifyCode(c *gin.Context) {
email := strings.TrimSpace(strings.ToLower(req.Email))
if existingUser, err := findUserByNormalizedEmail(c.Request.Context(), client, email); err == nil && existingUser != nil {
- session, err = h.transitionPendingOAuthAccountToBindLogin(c, client, session, email, oauthAdoptionDecisionRequest{})
+ session, err = h.transitionPendingOAuthAccountToChoiceState(c, client, session, email)
if err != nil {
response.ErrorFrom(c, err)
return
@@ -1206,12 +1208,13 @@ func readPendingOAuthBrowserSession(c *gin.Context, h *AuthHandler) (*service.Au
}
func buildPendingOAuthSessionStatusPayload(session *dbent.PendingAuthSession) gin.H {
+ completionResponse := normalizePendingOAuthCompletionResponse(mergePendingCompletionResponse(session, nil))
payload := gin.H{
"auth_result": "pending_session",
"provider": strings.TrimSpace(session.ProviderType),
"intent": strings.TrimSpace(session.Intent),
}
- for key, value := range mergePendingCompletionResponse(session, nil) {
+ for key, value := range completionResponse {
payload[key] = value
}
if email := strings.TrimSpace(session.ResolvedEmail); email != "" {
@@ -1220,38 +1223,58 @@ func buildPendingOAuthSessionStatusPayload(session *dbent.PendingAuthSession) gi
return payload
}
-func (h *AuthHandler) transitionPendingOAuthAccountToBindLogin(
+func normalizePendingOAuthCompletionResponse(payload map[string]any) map[string]any {
+ normalized := clonePendingMap(payload)
+ step := strings.ToLower(strings.TrimSpace(pendingSessionStringValue(normalized, "step")))
+ switch step {
+ case "choice", "choose_account_action", "choose_account", "choose", "email_required", "bind_login_required":
+ normalized["step"] = oauthPendingChoiceStep
+ }
+ if strings.EqualFold(strings.TrimSpace(pendingSessionStringValue(normalized, "step")), oauthPendingChoiceStep) {
+ normalized["adoption_required"] = true
+ }
+ if _, exists := normalized["adoption_required"]; !exists {
+ if _, hasChoiceFields := normalized["email_binding_required"]; hasChoiceFields {
+ normalized["adoption_required"] = true
+ }
+ }
+ return normalized
+}
+
+func pendingOAuthChoiceCompletionResponse(session *dbent.PendingAuthSession, email string) map[string]any {
+ response := mergePendingCompletionResponse(session, map[string]any{
+ "step": oauthPendingChoiceStep,
+ "adoption_required": true,
+ "force_email_on_signup": true,
+ "email_binding_required": true,
+ "existing_account_bindable": true,
+ })
+ if email = strings.TrimSpace(email); email != "" {
+ response["email"] = email
+ response["resolved_email"] = email
+ }
+ return response
+}
+
+func (h *AuthHandler) transitionPendingOAuthAccountToChoiceState(
c *gin.Context,
client *dbent.Client,
session *dbent.PendingAuthSession,
email string,
- decision oauthAdoptionDecisionRequest,
) (*dbent.PendingAuthSession, error) {
- existingUser, err := findUserByNormalizedEmail(c.Request.Context(), client, email)
- if err != nil {
- return nil, err
- }
-
- completionResponse := mergePendingCompletionResponse(session, map[string]any{
- "step": "bind_login_required",
- "email": email,
- })
- session, err = updatePendingOAuthSessionProgress(
+ completionResponse := pendingOAuthChoiceCompletionResponse(session, email)
+ session, err := updatePendingOAuthSessionProgress(
c.Request.Context(),
client,
session,
- "adopt_existing_user_by_email",
+ strings.TrimSpace(session.Intent),
email,
- &existingUser.ID,
+ nil,
completionResponse,
)
if err != nil {
return nil, infraerrors.InternalServer("PENDING_AUTH_SESSION_UPDATE_FAILED", "failed to update pending oauth session").WithCause(err)
}
-
- if _, err := h.ensurePendingOAuthAdoptionDecision(c, session.ID, decision); err != nil {
- return nil, err
- }
return session, nil
}
@@ -1365,12 +1388,20 @@ func (h *AuthHandler) createPendingOAuthAccount(c *gin.Context, provider string)
email := strings.TrimSpace(strings.ToLower(req.Email))
existingUser, err := findUserByNormalizedEmail(c.Request.Context(), client, email)
- if err != nil && !errors.Is(err, service.ErrUserNotFound) {
- response.ErrorFrom(c, infraerrors.ServiceUnavailable("SERVICE_UNAVAILABLE", "service temporarily unavailable"))
- return
+ if err != nil {
+ switch {
+ case errors.Is(err, service.ErrUserNotFound):
+ existingUser = nil
+ case infraerrors.Code(err) >= http.StatusBadRequest && infraerrors.Code(err) < http.StatusInternalServerError:
+ response.ErrorFrom(c, err)
+ return
+ default:
+ response.ErrorFrom(c, infraerrors.ServiceUnavailable("SERVICE_UNAVAILABLE", "service temporarily unavailable"))
+ return
+ }
}
if existingUser != nil {
- session, err = h.transitionPendingOAuthAccountToBindLogin(c, client, session, email, req.adoptionDecision())
+ session, err = h.transitionPendingOAuthAccountToChoiceState(c, client, session, email)
if err != nil {
response.ErrorFrom(c, err)
return
@@ -1393,7 +1424,7 @@ func (h *AuthHandler) createPendingOAuthAccount(c *gin.Context, provider string)
)
if err != nil {
if errors.Is(err, service.ErrEmailExists) {
- session, err = h.transitionPendingOAuthAccountToBindLogin(c, client, session, email, req.adoptionDecision())
+ session, err = h.transitionPendingOAuthAccountToChoiceState(c, client, session, email)
if err != nil {
response.ErrorFrom(c, err)
return
@@ -1548,6 +1579,7 @@ func (h *AuthHandler) ExchangePendingOAuthCompletion(c *gin.Context) {
response.ErrorFrom(c, infraerrors.InternalServer("PENDING_AUTH_COMPLETION_INVALID", "pending auth completion payload is invalid"))
return
}
+ payload = normalizePendingOAuthCompletionResponse(payload)
if strings.TrimSpace(session.RedirectTo) != "" {
if _, exists := payload["redirect"]; !exists {
payload["redirect"] = session.RedirectTo
diff --git a/backend/internal/handler/auth_oidc_oauth.go b/backend/internal/handler/auth_oidc_oauth.go
index 6d19e9d6..d2042a87 100644
--- a/backend/internal/handler/auth_oidc_oauth.go
+++ b/backend/internal/handler/auth_oidc_oauth.go
@@ -420,27 +420,6 @@ func (h *AuthHandler) OIDCOAuthCallback(c *gin.Context) {
redirectOAuthError(c, frontendCallback, "session_error", infraerrors.Reason(err), infraerrors.Message(err))
return
}
- if compatEmailUser != nil {
- if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
- Intent: "adopt_existing_user_by_email",
- Identity: identityRef,
- TargetUserID: &compatEmailUser.ID,
- ResolvedEmail: compatEmailUser.Email,
- RedirectTo: redirectTo,
- BrowserSessionKey: browserSessionKey,
- UpstreamIdentityClaims: upstreamClaims,
- CompletionResponse: map[string]any{
- "redirect": redirectTo,
- "step": "bind_login_required",
- "email": compatEmailUser.Email,
- },
- }); err != nil {
- redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
- return
- }
- redirectToFrontendCallback(c, frontendCallback)
- return
- }
if cfg.RequireEmailVerified {
if emailVerified == nil || !*emailVerified {
@@ -450,7 +429,18 @@ func (h *AuthHandler) OIDCOAuthCallback(c *gin.Context) {
}
if h.isForceEmailOnThirdPartySignup(c.Request.Context()) {
- if err := h.createOAuthEmailRequiredPendingSession(c, identityRef, redirectTo, browserSessionKey, upstreamClaims); err != nil {
+ if err := h.createOIDCOAuthChoicePendingSession(
+ c,
+ identityRef,
+ email,
+ email,
+ redirectTo,
+ browserSessionKey,
+ upstreamClaims,
+ compatEmail,
+ compatEmailUser,
+ true,
+ ); err != nil {
redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
return
}
@@ -458,48 +448,18 @@ func (h *AuthHandler) OIDCOAuthCallback(c *gin.Context) {
return
}
- // 传入空邀请码;如果需要邀请码,服务层返回 ErrOAuthInvitationRequired
- tokenPair, user, err := h.authService.LoginOrRegisterOAuthWithTokenPair(c.Request.Context(), email, username, "")
- if err != nil {
- if errors.Is(err, service.ErrOAuthInvitationRequired) {
- if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
- Intent: "login",
- Identity: identityRef,
- ResolvedEmail: email,
- RedirectTo: redirectTo,
- BrowserSessionKey: browserSessionKey,
- UpstreamIdentityClaims: upstreamClaims,
- CompletionResponse: map[string]any{
- "error": "invitation_required",
- "redirect": redirectTo,
- },
- }); err != nil {
- redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
- return
- }
- redirectToFrontendCallback(c, frontendCallback)
- return
- }
- redirectOAuthError(c, frontendCallback, "login_failed", infraerrors.Reason(err), infraerrors.Message(err))
- return
- }
-
- if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
- Intent: "login",
- Identity: identityRef,
- TargetUserID: &user.ID,
- ResolvedEmail: email,
- RedirectTo: redirectTo,
- BrowserSessionKey: browserSessionKey,
- UpstreamIdentityClaims: upstreamClaims,
- CompletionResponse: map[string]any{
- "access_token": tokenPair.AccessToken,
- "refresh_token": tokenPair.RefreshToken,
- "expires_in": tokenPair.ExpiresIn,
- "token_type": "Bearer",
- "redirect": redirectTo,
- },
- }); err != nil {
+ if err := h.createOIDCOAuthChoicePendingSession(
+ c,
+ identityRef,
+ email,
+ email,
+ redirectTo,
+ browserSessionKey,
+ upstreamClaims,
+ compatEmail,
+ compatEmailUser,
+ h.isForceEmailOnThirdPartySignup(c.Request.Context()),
+ ); err != nil {
redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
return
}
@@ -530,6 +490,65 @@ func (h *AuthHandler) findOIDCCompatEmailUser(ctx context.Context, email string)
return userEntity, nil
}
+func (h *AuthHandler) createOIDCOAuthChoicePendingSession(
+ c *gin.Context,
+ identity service.PendingAuthIdentityKey,
+ suggestedEmail string,
+ resolvedEmail string,
+ redirectTo string,
+ browserSessionKey string,
+ upstreamClaims map[string]any,
+ compatEmail string,
+ compatEmailUser *dbent.User,
+ forceEmailOnSignup bool,
+) error {
+ suggestionEmail := strings.TrimSpace(suggestedEmail)
+ canonicalEmail := strings.TrimSpace(resolvedEmail)
+ if suggestionEmail == "" {
+ suggestionEmail = canonicalEmail
+ }
+
+ completionResponse := map[string]any{
+ "step": oauthPendingChoiceStep,
+ "adoption_required": true,
+ "redirect": strings.TrimSpace(redirectTo),
+ "email": suggestionEmail,
+ "resolved_email": canonicalEmail,
+ "existing_account_email": "",
+ "existing_account_bindable": false,
+ "create_account_allowed": true,
+ "force_email_on_signup": forceEmailOnSignup,
+ "choice_reason": "third_party_signup",
+ }
+ if strings.TrimSpace(compatEmail) != "" {
+ completionResponse["compat_email"] = strings.TrimSpace(compatEmail)
+ }
+ if compatEmailUser != nil {
+ completionResponse["email"] = strings.TrimSpace(compatEmailUser.Email)
+ completionResponse["existing_account_email"] = strings.TrimSpace(compatEmailUser.Email)
+ completionResponse["existing_account_bindable"] = true
+ completionResponse["choice_reason"] = "compat_email_match"
+ }
+ if forceEmailOnSignup && compatEmailUser == nil {
+ completionResponse["choice_reason"] = "force_email_on_signup"
+ }
+
+ resolvedChoiceEmail := suggestionEmail
+ if compatEmailUser != nil {
+ resolvedChoiceEmail = strings.TrimSpace(compatEmailUser.Email)
+ }
+
+ return h.createOAuthPendingSession(c, oauthPendingSessionPayload{
+ Intent: oauthIntentLogin,
+ Identity: identity,
+ ResolvedEmail: resolvedChoiceEmail,
+ RedirectTo: redirectTo,
+ BrowserSessionKey: browserSessionKey,
+ UpstreamIdentityClaims: upstreamClaims,
+ CompletionResponse: completionResponse,
+ })
+}
+
type completeOIDCOAuthRequest struct {
InvitationCode string `json:"invitation_code" binding:"required"`
AdoptDisplayName *bool `json:"adopt_display_name,omitempty"`
diff --git a/backend/internal/handler/auth_wechat_oauth.go b/backend/internal/handler/auth_wechat_oauth.go
index 734fb2ef..2fa035a5 100644
--- a/backend/internal/handler/auth_wechat_oauth.go
+++ b/backend/internal/handler/auth_wechat_oauth.go
@@ -62,6 +62,8 @@ type wechatOAuthConfig struct {
scope string
redirectURI string
frontendCallback string
+ openEnabled bool
+ mpEnabled bool
}
type wechatOAuthTokenResponse struct {
@@ -209,11 +211,18 @@ func (h *AuthHandler) WeChatOAuthCallback(c *gin.Context) {
unionid := strings.TrimSpace(firstNonEmpty(userInfo.UnionID, tokenResp.UnionID))
openid := strings.TrimSpace(firstNonEmpty(userInfo.OpenID, tokenResp.OpenID))
- if unionid == "" {
+ providerSubject := unionid
+ if providerSubject == "" {
+ if cfg.requiresUnionID() {
+ redirectOAuthError(c, frontendCallback, "provider_error", "wechat_missing_unionid", "")
+ return
+ }
+ providerSubject = openid
+ }
+ if providerSubject == "" {
redirectOAuthError(c, frontendCallback, "provider_error", "wechat_missing_unionid", "")
return
}
- providerSubject := unionid
username := firstNonEmpty(userInfo.Nickname, wechatFallbackUsername(providerSubject))
email := wechatSyntheticEmail(providerSubject)
@@ -284,7 +293,18 @@ func (h *AuthHandler) WeChatOAuthCallback(c *gin.Context) {
}
if h.isForceEmailOnThirdPartySignup(c.Request.Context()) {
- if err := h.createOAuthEmailRequiredPendingSession(c, identityRef, redirectTo, browserSessionKey, upstreamClaims); err != nil {
+ if err := h.createWeChatChoicePendingSession(
+ c,
+ identityRef,
+ email,
+ email,
+ redirectTo,
+ browserSessionKey,
+ upstreamClaims,
+ "",
+ nil,
+ true,
+ ); err != nil {
redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
return
}
@@ -292,17 +312,18 @@ func (h *AuthHandler) WeChatOAuthCallback(c *gin.Context) {
return
}
- tokenPair, _, err := h.authService.LoginOrRegisterOAuthWithTokenPair(c.Request.Context(), email, username, "")
- if err != nil {
- if err := h.createWeChatPendingSession(c, normalizedIntent, providerSubject, email, redirectTo, browserSessionKey, upstreamClaims, tokenPair, err, nil); err != nil {
- redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
- return
- }
- redirectToFrontendCallback(c, frontendCallback)
- return
- }
-
- if err := h.createWeChatPendingSession(c, normalizedIntent, providerSubject, email, redirectTo, browserSessionKey, upstreamClaims, tokenPair, nil, nil); err != nil {
+ if err := h.createWeChatChoicePendingSession(
+ c,
+ identityRef,
+ email,
+ email,
+ redirectTo,
+ browserSessionKey,
+ upstreamClaims,
+ "",
+ nil,
+ false,
+ ); err != nil {
redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
return
}
@@ -600,6 +621,65 @@ func (h *AuthHandler) createWeChatPendingSession(
})
}
+func (h *AuthHandler) createWeChatChoicePendingSession(
+ c *gin.Context,
+ identity service.PendingAuthIdentityKey,
+ suggestedEmail string,
+ resolvedEmail string,
+ redirectTo string,
+ browserSessionKey string,
+ upstreamClaims map[string]any,
+ compatEmail string,
+ compatEmailUser *dbent.User,
+ forceEmailOnSignup bool,
+) error {
+ suggestionEmail := strings.TrimSpace(suggestedEmail)
+ canonicalEmail := strings.TrimSpace(resolvedEmail)
+ if suggestionEmail == "" {
+ suggestionEmail = canonicalEmail
+ }
+
+ completionResponse := map[string]any{
+ "step": oauthPendingChoiceStep,
+ "adoption_required": true,
+ "redirect": strings.TrimSpace(redirectTo),
+ "email": suggestionEmail,
+ "resolved_email": canonicalEmail,
+ "existing_account_email": "",
+ "existing_account_bindable": false,
+ "create_account_allowed": true,
+ "force_email_on_signup": forceEmailOnSignup,
+ "choice_reason": "third_party_signup",
+ }
+ if strings.TrimSpace(compatEmail) != "" {
+ completionResponse["compat_email"] = strings.TrimSpace(compatEmail)
+ }
+ if compatEmailUser != nil {
+ completionResponse["email"] = strings.TrimSpace(compatEmailUser.Email)
+ completionResponse["existing_account_email"] = strings.TrimSpace(compatEmailUser.Email)
+ completionResponse["existing_account_bindable"] = true
+ completionResponse["choice_reason"] = "compat_email_match"
+ }
+ if forceEmailOnSignup {
+ completionResponse["choice_reason"] = "force_email_on_signup"
+ }
+
+ resolvedChoiceEmail := suggestionEmail
+ if compatEmailUser != nil {
+ resolvedChoiceEmail = strings.TrimSpace(compatEmailUser.Email)
+ }
+
+ return h.createOAuthPendingSession(c, oauthPendingSessionPayload{
+ Intent: oauthIntentLogin,
+ Identity: identity,
+ ResolvedEmail: resolvedChoiceEmail,
+ RedirectTo: redirectTo,
+ BrowserSessionKey: browserSessionKey,
+ UpstreamIdentityClaims: upstreamClaims,
+ CompletionResponse: completionResponse,
+ })
+}
+
func (h *AuthHandler) createWeChatBindPendingSession(
c *gin.Context,
cfg wechatOAuthConfig,
@@ -874,7 +954,7 @@ func (h *AuthHandler) getWeChatOAuthConfig(ctx context.Context, rawMode string,
if err != nil {
return wechatOAuthConfig{}, err
}
- if effective.Mode != mode {
+ if !effective.SupportsMode(mode) {
return wechatOAuthConfig{}, infraerrors.NotFound("OAUTH_DISABLED", "wechat oauth is disabled")
}
@@ -884,7 +964,9 @@ func (h *AuthHandler) getWeChatOAuthConfig(ctx context.Context, rawMode string,
appSecret: strings.TrimSpace(effective.AppSecret),
redirectURI: firstNonEmpty(strings.TrimSpace(effective.RedirectURL), resolveWeChatOAuthAbsoluteURL(apiBaseURL, c, "/api/v1/auth/oauth/wechat/callback")),
frontendCallback: firstNonEmpty(strings.TrimSpace(effective.FrontendRedirectURL), wechatOAuthDefaultFrontendCB),
- scope: firstNonEmpty(strings.TrimSpace(effective.Scopes), service.DefaultWeChatConnectScopesForMode(mode)),
+ scope: effective.ScopeForMode(mode),
+ openEnabled: effective.OpenEnabled,
+ mpEnabled: effective.MPEnabled,
}
switch mode {
@@ -900,6 +982,10 @@ func (h *AuthHandler) getWeChatOAuthConfig(ctx context.Context, rawMode string,
return cfg, nil
}
+func (cfg wechatOAuthConfig) requiresUnionID() bool {
+ return cfg.openEnabled && cfg.mpEnabled
+}
+
func (h *AuthHandler) wechatOAuthFrontendCallback(ctx context.Context) string {
if h != nil && h.settingSvc != nil {
cfg, err := h.settingSvc.GetWeChatConnectOAuthConfig(ctx)
diff --git a/backend/internal/handler/auth_wechat_oauth_test.go b/backend/internal/handler/auth_wechat_oauth_test.go
index b0fee617..140851de 100644
--- a/backend/internal/handler/auth_wechat_oauth_test.go
+++ b/backend/internal/handler/auth_wechat_oauth_test.go
@@ -65,6 +65,36 @@ func TestWeChatOAuthStartRedirectsAndSetsPendingCookies(t *testing.T) {
require.NotEmpty(t, findCookie(cookies, oauthPendingBrowserCookieName))
}
+func TestWeChatOAuthStart_AllowsOpenModeWhenBothCapabilitiesEnabled(t *testing.T) {
+ gin.SetMode(gin.TestMode)
+ handler, client := newWeChatOAuthTestHandlerWithSettings(t, false, map[string]string{
+ service.SettingKeyWeChatConnectEnabled: "true",
+ service.SettingKeyWeChatConnectAppID: "wx-shared-app",
+ service.SettingKeyWeChatConnectAppSecret: "wx-shared-secret",
+ service.SettingKeyWeChatConnectMode: "mp",
+ service.SettingKeyWeChatConnectScopes: "snsapi_base",
+ service.SettingKeyWeChatConnectOpenEnabled: "true",
+ service.SettingKeyWeChatConnectMPEnabled: "true",
+ service.SettingKeyWeChatConnectRedirectURL: "https://api.example.com/api/v1/auth/oauth/wechat/callback",
+ service.SettingKeyWeChatConnectFrontendRedirectURL: "/auth/wechat/callback",
+ })
+ defer client.Close()
+
+ recorder := httptest.NewRecorder()
+ c, _ := gin.CreateTestContext(recorder)
+ c.Request = httptest.NewRequest(http.MethodGet, "/api/v1/auth/oauth/wechat/start?mode=open&redirect=/billing", nil)
+ c.Request.Host = "api.example.com"
+
+ handler.WeChatOAuthStart(c)
+
+ require.Equal(t, http.StatusFound, recorder.Code)
+ location := recorder.Header().Get("Location")
+ require.NotEmpty(t, location)
+ require.Contains(t, location, "open.weixin.qq.com")
+ require.Contains(t, location, "connect/qrconnect")
+ require.Contains(t, location, "scope=snsapi_login")
+}
+
func TestWeChatOAuthCallbackCreatesPendingSessionForUnifiedFlow(t *testing.T) {
originalAccessTokenURL := wechatOAuthAccessTokenURL
originalUserInfoURL := wechatOAuthUserInfoURL
diff --git a/frontend/src/views/auth/LinuxDoCallbackView.vue b/frontend/src/views/auth/LinuxDoCallbackView.vue
index a775075d..84610133 100644
--- a/frontend/src/views/auth/LinuxDoCallbackView.vue
+++ b/frontend/src/views/auth/LinuxDoCallbackView.vue
@@ -15,6 +15,7 @@
v-if="
needsInvitation ||
needsAdoptionConfirmation ||
+ needsChooser ||
needsCreateAccount ||
needsBindLogin ||
needsTotpChallenge
@@ -109,6 +110,42 @@
+
+
+
+
+
+ Choose how to continue
+
+
+ {{
+ pendingAccountEmail
+ ? `Suggested email: ${pendingAccountEmail}`
+ : 'Choose whether to bind an existing account or create a new one.'
+ }}
+
+
+
+
+
+
+
+
+
Enter an email address to create your account and continue.
@@ -275,7 +312,7 @@ const suggestedAvatarUrl = ref('')
const adoptDisplayName = ref(true)
const adoptAvatar = ref(true)
const needsAdoptionConfirmation = ref(false)
-const pendingAccountAction = ref<'none' | 'create_account' | 'bind_login'>('none')
+const pendingAccountAction = ref<'none' | 'choose_account_action' | 'create_account' | 'bind_login'>('none')
const pendingAccountEmail = ref('')
const bindLoginEmail = ref('')
const bindLoginPassword = ref('')
@@ -290,12 +327,17 @@ const totpError = ref('')
const totpUserEmailMasked = ref('')
const needsCreateAccount = computed(() => pendingAccountAction.value === 'create_account')
+const needsChooser = computed(() => pendingAccountAction.value === 'choose_account_action')
const needsBindLogin = computed(() => pendingAccountAction.value === 'bind_login')
type LinuxDoPendingActionResponse = PendingOAuthExchangeResponse & {
step?: string
+ intent?: string
email?: string
resolved_email?: string
+ pending_email?: string
+ existing_account_email?: string
+ suggested_email?: string
}
function persistPendingAuthSession(redirect?: string) {
@@ -392,12 +434,34 @@ function hasSuggestedProfile(completion: {
return Boolean(completion.suggested_display_name || completion.suggested_avatar_url)
}
-function extractPendingAccountEmail(completion: LinuxDoPendingActionResponse): string {
- return (completion.email || completion.resolved_email || '').trim()
+function normalizedPendingState(value: string | null | undefined): string {
+ return value?.trim().toLowerCase() || ''
}
-function resolvePendingAccountAction(completion: LinuxDoPendingActionResponse): 'none' | 'create_account' | 'bind_login' {
- const raw = (completion.step || completion.error || '').trim().toLowerCase()
+function extractPendingAccountEmail(completion: LinuxDoPendingActionResponse): string {
+ return (
+ completion.pending_email ||
+ completion.existing_account_email ||
+ completion.email ||
+ completion.resolved_email ||
+ completion.suggested_email ||
+ ''
+ ).trim()
+}
+
+function resolvePendingAccountAction(
+ completion: LinuxDoPendingActionResponse
+): 'none' | 'choose_account_action' | 'create_account' | 'bind_login' {
+ const raw = normalizedPendingState(completion.step || completion.error || completion.intent)
+ if (
+ raw === 'choice' ||
+ raw === 'choose_account_action_required' ||
+ raw === 'choose_account_action' ||
+ raw === 'choose_account' ||
+ raw === 'choose'
+ ) {
+ return 'choose_account_action'
+ }
if (raw === 'email_required' || raw === 'create_account_required' || raw === 'create_account') {
return 'create_account'
}
@@ -418,6 +482,14 @@ function applyPendingAccountAction(completion: LinuxDoPendingActionResponse) {
totpUserEmailMasked.value = ''
const email = extractPendingAccountEmail(completion)
+ if (action === 'choose_account_action') {
+ pendingAccountEmail.value = email
+ bindLoginEmail.value = email
+ bindLoginPassword.value = ''
+ canReturnToCreateAccount.value = false
+ return
+ }
+
if (action === 'create_account') {
pendingAccountEmail.value = email
canReturnToCreateAccount.value = true
@@ -470,28 +542,6 @@ function getRequestErrorMessage(error: unknown, fallback: string): string {
return err.response?.data?.detail || err.response?.data?.message || err.message || fallback
}
-function isCreateAccountRecoveryError(error: unknown): boolean {
- const data = (error as {
- response?: {
- data?: {
- reason?: string
- error?: string
- code?: string
- step?: string
- intent?: string
- }
- }
- }).response?.data
- const states = [data?.reason, data?.error, data?.code, data?.step, data?.intent]
- .map(value => value?.trim().toLowerCase())
- .filter((value): value is string => Boolean(value))
-
- return states.includes('email_exists') ||
- states.includes('bind_login_required') ||
- states.includes('bind_login') ||
- states.includes('adopt_existing_user_by_email')
-}
-
async function finalizeCompletion(completion: PendingOAuthExchangeResponse, redirect: string) {
if (getOAuthCompletionKind(completion) === 'bind') {
const bindRedirect = sanitizeRedirectPath(completion.redirect || '/profile')
@@ -601,10 +651,6 @@ async function handleCreateAccount(payload: PendingOAuthCreateAccountPayload) {
})
await finalizePendingAccountResponse(data)
} catch (e: unknown) {
- if (isCreateAccountRecoveryError(e)) {
- switchToBindLoginMode(payload.email)
- return
- }
accountActionError.value = getRequestErrorMessage(e, t('auth.loginFailed'))
} finally {
isSubmitting.value = false
diff --git a/frontend/src/views/auth/OidcCallbackView.vue b/frontend/src/views/auth/OidcCallbackView.vue
index e15e752f..9614d077 100644
--- a/frontend/src/views/auth/OidcCallbackView.vue
+++ b/frontend/src/views/auth/OidcCallbackView.vue
@@ -19,6 +19,7 @@
v-if="
needsInvitation ||
needsAdoptionConfirmation ||
+ needsChooser ||
needsCreateAccount ||
needsBindLogin ||
needsTotpChallenge
@@ -118,6 +119,42 @@
+
+
+
+
+
+ Choose how to continue
+
+
+ {{
+ pendingAccountEmail
+ ? `Suggested email: ${pendingAccountEmail}`
+ : `Choose whether to bind an existing ${providerName} account or create a new one.`
+ }}
+
+
+
+
+
+
+
+
+
Enter an email address to create your account and continue.
@@ -284,7 +321,7 @@ const suggestedAvatarUrl = ref('')
const adoptDisplayName = ref(true)
const adoptAvatar = ref(true)
const needsAdoptionConfirmation = ref(false)
-const pendingAccountAction = ref<'none' | 'create_account' | 'bind_login'>('none')
+const pendingAccountAction = ref<'none' | 'choose_account_action' | 'create_account' | 'bind_login'>('none')
const pendingAccountEmail = ref('')
const bindLoginEmail = ref('')
const bindLoginPassword = ref('')
@@ -299,6 +336,7 @@ const totpError = ref('')
const totpUserEmailMasked = ref('')
const needsCreateAccount = computed(() => pendingAccountAction.value === 'create_account')
+const needsChooser = computed(() => pendingAccountAction.value === 'choose_account_action')
const needsBindLogin = computed(() => pendingAccountAction.value === 'bind_login')
type PendingOidcCompletion = PendingOAuthExchangeResponse & {
@@ -307,6 +345,7 @@ type PendingOidcCompletion = PendingOAuthExchangeResponse & {
resolved_email?: string
existing_account_email?: string
email?: string
+ suggested_email?: string
provider_fallback?: string
intent?: string
requires_2fa?: boolean
@@ -430,12 +469,24 @@ function extractPendingAccountEmail(completion: PendingOidcCompletion): string {
completion.existing_account_email ||
completion.resolved_email ||
completion.email ||
+ completion.suggested_email ||
''
).trim()
}
-function resolvePendingAccountAction(completion: PendingOidcCompletion): 'none' | 'create_account' | 'bind_login' {
+function resolvePendingAccountAction(
+ completion: PendingOidcCompletion
+): 'none' | 'choose_account_action' | 'create_account' | 'bind_login' {
const raw = normalizedPendingState(completion.step || completion.error || completion.intent)
+ if (
+ raw === 'choice' ||
+ raw === 'choose_account_action_required' ||
+ raw === 'choose_account_action' ||
+ raw === 'choose_account' ||
+ raw === 'choose'
+ ) {
+ return 'choose_account_action'
+ }
if (raw === 'email_required' || raw === 'create_account_required' || raw === 'create_account') {
return 'create_account'
}
@@ -462,6 +513,14 @@ function applyPendingAccountAction(completion: PendingOidcCompletion) {
totpUserEmailMasked.value = ''
const email = extractPendingAccountEmail(completion)
+ if (action === 'choose_account_action') {
+ pendingAccountEmail.value = email
+ bindLoginEmail.value = email
+ bindLoginPassword.value = ''
+ canReturnToCreateAccount.value = false
+ return
+ }
+
if (action === 'create_account') {
pendingAccountEmail.value = email
canReturnToCreateAccount.value = true
@@ -514,28 +573,6 @@ function getRequestErrorMessage(error: unknown, fallback: string): string {
return err.response?.data?.detail || err.response?.data?.message || err.message || fallback
}
-function isCreateAccountRecoveryError(error: unknown): boolean {
- const data = (error as {
- response?: {
- data?: {
- reason?: string
- error?: string
- code?: string
- step?: string
- intent?: string
- }
- }
- }).response?.data
- const states = [data?.reason, data?.error, data?.code, data?.step, data?.intent]
- .map(value => value?.trim().toLowerCase())
- .filter((value): value is string => Boolean(value))
-
- return states.includes('email_exists') ||
- states.includes('bind_login_required') ||
- states.includes('bind_login') ||
- states.includes('adopt_existing_user_by_email')
-}
-
async function finalizeCompletion(completion: PendingOAuthExchangeResponse, redirect: string) {
if (getOAuthCompletionKind(completion) === 'bind') {
const bindRedirect = sanitizeRedirectPath(completion.redirect || '/profile')
@@ -645,10 +682,6 @@ async function handleCreateAccount(payload: PendingOAuthCreateAccountPayload) {
})
await finalizePendingAccountResponse(data)
} catch (e: unknown) {
- if (isCreateAccountRecoveryError(e)) {
- switchToBindLoginMode(payload.email)
- return
- }
accountActionError.value = getRequestErrorMessage(e, t('auth.loginFailed'))
} finally {
isSubmitting.value = false
diff --git a/frontend/src/views/auth/WechatCallbackView.vue b/frontend/src/views/auth/WechatCallbackView.vue
index a3efcf9a..54bf0684 100644
--- a/frontend/src/views/auth/WechatCallbackView.vue
+++ b/frontend/src/views/auth/WechatCallbackView.vue
@@ -18,6 +18,7 @@
+
+
+
+
+ Choose how to continue
+
+
+ Pick whether to bind an existing account or create a new one.
+
+
+
+
+
+
+
+
+
+
Review the {{ providerName }} profile details before continuing.
@@ -168,13 +206,46 @@
@submit="handleCreateAccount"
@switch-to-bind="switchToBindLoginMode"
/>
+
- Log in to an existing account to bind this {{ providerName }} sign-in.
+ Bind this {{ providerName }} sign-in to an existing account.
-
+
+
+
+
+ Bind the current account
+
+
+ Bind this WeChat identity to the account currently signed in on this browser.
+
+
+
+
+
+
+
{{ isSubmitting ? t('common.processing') : 'Log in and bind' }}
-
-
-
- {{ accountActionError }}
-
-
+
@@ -253,6 +319,12 @@
+ {{ accountActionError }}
+
+
+
('none')
+const pendingAccountAction = ref<'none' | 'choice' | 'create_account' | 'bind_login'>('none')
const pendingAccountEmail = ref('')
const bindLoginEmail = ref('')
const bindLoginPassword = ref('')
const legacyPendingOAuthToken = ref('')
const accountActionError = ref('')
-const canReturnToCreateAccount = ref(false)
const needsTotpChallenge = ref(false)
const totpTempToken = ref('')
const totpCode = ref('')
@@ -340,12 +412,17 @@ const totpUserEmailMasked = ref('')
const bindSuccessMessage = t('profile.authBindings.bindSuccess')
const providerName = 'WeChat'
+const showBackToChooser = computed(
+ () => pendingAccountAction.value === 'create_account' || pendingAccountAction.value === 'bind_login'
+)
const needsCreateAccount = computed(() => pendingAccountAction.value === 'create_account')
const needsBindLogin = computed(() => pendingAccountAction.value === 'bind_login')
const hasCurrentAuthToken = computed(() => Boolean(getAuthToken()))
type PendingWeChatCompletion = PendingOAuthExchangeResponse & {
step?: string
+ status?: string
+ state?: string
pending_email?: string
resolved_email?: string
existing_account_email?: string
@@ -489,11 +566,6 @@ function resolveWeChatStartURL(intent: 'bind_current_user' | 'adopt_existing_use
intent,
})
- const email = existingAccountEmail.value.trim()
- if (email) {
- params.set('email', email)
- }
-
return `${normalized}/auth/oauth/wechat/start?${params.toString()}`
}
@@ -502,6 +574,7 @@ function buildExistingAccountResumePath(): string | null {
if (!mode) {
return null
}
+
const params = new URLSearchParams({
wechat_bind_existing: '1',
redirect: resolveRedirectTarget(),
@@ -538,26 +611,31 @@ function serializeAdoptionDecision(decision: OAuthAdoptionDecision): Record {
}
if (typeof route.query.email === 'string') {
- existingAccountEmail.value = route.query.email
+ const email = route.query.email.trim()
+ existingAccountEmail.value = email
+ bindLoginEmail.value = email
+ pendingAccountEmail.value = email
}
if (route.query.wechat_bind_existing === '1') {
if (getAuthToken()) {
- const startURL = resolveWeChatStartURL('bind_current_user')
- if (!startURL) {
- errorMessage.value = resolveWeChatOAuthUnavailableMessage()
- appStore.showError(errorMessage.value)
- isProcessing.value = false
- return
- }
- prepareOAuthBindAccessTokenCookie()
- window.location.href = startURL
+ await handleBindCurrentAccount()
return
}