[server/auth] check for matching auth ID

AlexTugarev · AlexTugarev · commit 5db8573559b3 · 2021-06-23T11:32:12.000+02:00
diff --git a/components/server/src/auth/generic-auth-provider.ts b/components/server/src/auth/generic-auth-provider.ts
@@ -427,6 +427,14 @@ export class GenericAuthProvider implements AuthProvider {
             if (currentGitpodUser) {
                 // user is already logged in
 
+                // check for matching auth ID
+                const currentIdentity = currentGitpodUser.identities.find(i => i.authProviderId === this.authProviderId);
+                if (currentIdentity && currentIdentity.authId !== candidate.authId) {
+                    log.warn(`User is trying to connect with another provider identity.`, { ...defaultLogPayload, authUser, candidate, currentGitpodUser: User.censor(currentGitpodUser), clientInfo });
+                    done(AuthException.create("authId-mismatch", "Auth ID does not match with existing provider identity.", {}), undefined);
+                    return;
+                }
+
                 // we need to check current provider authorizations first...
                 try {
                     await this.userService.asserNoTwinAccount(currentGitpodUser, this.host, this.authProviderId, candidate);
