nextauthjs
Opt-in for dangerous account linking
Hi there, happy new year, it's me over from that thing.
I've decided to go down the road of using a next-auth fork internally as we trust our hand-selected set of auth providers to correctly verify email addresses. Now I am curious if you'd consider merging it into upstream as well.
If so, I'd be happy to add docs, tests or whatever else you think is needed for this to be mergeable. Naming is another thing I've been wondering about. Maybe the flag should be called dangerouslyTrustAccountEmail instead? Or something else?
Reasoning 💡
By default account linking can only be done through an active session, to prevent account stealing from low-trust providers. Some next-auth users might trust their chosen providers enough to opt them into more lax account linking.
Checklist 🧢
- [ ] Documentation
- [ ] Tests
- [ ] Ready to be merged
Thanks for the consideration (and the great work on next-auth!)
Hi and thanks!
Making it opt-in might be an acceptable solution. I'll try to take this up with the others.
I'll cc @iaincollins, he might have an opinion as well.
It looks like this issue did not receive any activity for 60 days. It will be closed in 7 days if no further activity occurs. If you think your issue is still relevant, commenting will keep it open. Thanks!
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
It looks like this issue did not receive any activity for 60 days. It will be closed in 7 days if no further activity occurs. If you think your issue is still relevant, commenting will keep it open. Thanks!
Hi, any updates on this? It would really help with a project I'm working on. Let me know if I can be of any help!
