graphql-hive
diff --git a/‎.github/workflows/tests-e2e.yaml‎
Lines changed: 7 additions & 0 deletions b/‎.github/workflows/tests-e2e.yaml‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎cypress/e2e/app.cy.ts‎
Lines changed: 51 additions & 2 deletions b/‎cypress/e2e/app.cy.ts‎
Lines changed: 51 additions & 2 deletions
diff --git a/‎integration-tests/testkit/auth.ts‎
Lines changed: 18 additions & 6 deletions b/‎integration-tests/testkit/auth.ts‎
Lines changed: 18 additions & 6 deletions
diff --git a/‎integration-tests/testkit/flow.ts‎
Lines changed: 11 additions & 0 deletions b/‎integration-tests/testkit/flow.ts‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎integration-tests/testkit/seed.ts‎
Lines changed: 48 additions & 28 deletions b/‎integration-tests/testkit/seed.ts‎
Lines changed: 48 additions & 28 deletions
@@ -38,6 +38,13 @@ jobs:
         with:
           cmd: yq -i 'del(.services.*.volumes)' docker/docker-compose.community.yml
 
+      - name: disable rate limiting
+        uses: mikefarah/yq@4839dbbf80445070a31c7a9c1055da527db2d5ee # v4.44.6
+        with:
+          cmd:
+            yq -i '.services.server.environment.SUPERTOKENS_RATE_LIMIT = "0"'
+            docker/docker-compose.community.yml
+
       - name: run containers
         timeout-minutes: 10
         run: |
 
@@ -64,8 +64,6 @@ describe('oidc', () => {
       cy.get('button[value="login"]').click();
 
       cy.get(`a[href="/${slug}"]`).should('exist');
-      // Organization picker should not be visible
-      cy.get('[data-cy="organization-picker-current"]').should('not.exist');
     });
   });
 
@@ -151,6 +149,57 @@ describe('oidc', () => {
     cy.get(`a[href^="/${slug}/view/members"]`).should('exist');
   });
 
+  it('emailpassword account linking with existing oidc user', () => {
+    const organizationAdminUser = getUserData();
+    cy.visit('/');
+    cy.signup(organizationAdminUser);
+
+    const slug = generateRandomSlug();
+    cy.createOIDCIntegration(slug).then(({ organizationSlug }) => {
+      cy.visit('/logout');
+      cy.clearAllCookies();
+      cy.clearAllLocalStorage();
+      cy.clearAllSessionStorage();
+      cy.get('a[href^="/auth/sso"]').click();
+
+      // Select organization
+      cy.get('input[name="slug"]').type(organizationSlug);
+      cy.get('button[type="submit"]').click();
+
+      cy.get('input[id="Input_Username"]').type('test-user-2');
+      cy.get('input[id="Input_Password"]').type('password');
+      cy.get('button[value="login"]').click();
+
+      cy.get(`a[href="/${slug}"]`).should('exist');
+
+      cy.visit('/logout');
+      cy.clearAllCookies();
+      cy.clearAllLocalStorage();
+      cy.clearAllSessionStorage();
+
+      // Sign up/in through emailpassword, with email address used previously in OIDC
+      const memberData = {
+        ...getUserData(),
+        email: 'tom.sailor@gmail.com', // see docker/configs/oidc-server-mock/users-config.json
+      };
+      cy.visit('/auth/sign-up');
+      cy.fillSignUpFormAndSubmit(memberData);
+      cy.wait(500);
+
+      // Sign up can fail if the account already exists (due to using a fixed email address)
+      // Therefore sign out and re-sign in
+      cy.visit('/logout');
+      cy.clearAllCookies();
+      cy.clearAllLocalStorage();
+      cy.clearAllSessionStorage();
+      cy.visit('/auth/sign-in');
+      cy.fillSignInFormAndSubmit(memberData);
+      cy.wait(500);
+
+      cy.get(`a[href="/${slug}"]`).should('exist');
+    });
+  });
+
   it('oidc login for invalid url shows correct error message', () => {
     cy.clearAllCookies();
     cy.clearAllLocalStorage();
 
@@ -57,10 +57,17 @@ const signUpUserViaEmail = async (
   }
 };
 
-const createSessionPayload = (superTokensUserId: string, email: string) => ({
-  version: '1',
-  superTokensUserId,
-  email,
+const createSessionPayload = (payload: {
+  superTokensUserId: string;
+  userId: string;
+  oidcIntegrationId: string | null;
+  email: string;
+}) => ({
+  version: '2',
+  superTokensUserId: payload.superTokensUserId,
+  userId: payload.userId,
+  oidcIntegrationId: payload.oidcIntegrationId,
+  email: payload.email,
 });
 
 const CreateSessionModel = z.object({
@@ -89,15 +96,20 @@ const createSession = async (
       ],
     });
 
-    await internalApi.ensureUser.mutate({
+    const { user } = await internalApi.ensureUser.mutate({
       superTokensUserId,
       email,
       oidcIntegrationId,
       firstName: null,
       lastName: null,
     });
 
-    const sessionData = createSessionPayload(superTokensUserId, email);
+    const sessionData = createSessionPayload({
+      superTokensUserId,
+      userId: user.id,
+      oidcIntegrationId,
+      email,
+    });
     const payload = {
       enableAntiCsrf: false,
       userId: superTokensUserId,
 
@@ -156,6 +156,17 @@ export function getOrganization(organizationSlug: string, authToken: string) {
             reportingOperations
             enablingUsageBasedBreakingChanges
           }
+          me {
+            id
+            user {
+              id
+            }
+            role {
+              id
+              name
+              permissions
+            }
+          }
         }
       }
     `),
 
@@ -891,49 +891,69 @@ export function initSeed() {
                 },
               };
             },
-            async inviteAndJoinMember(
-              inviteToken: string = ownerToken,
-              memberRoleId: string | undefined = undefined,
-              resources: GraphQLSchema.ResourceAssignmentInput | undefined = undefined,
-            ) {
+            async inviteAndJoinMember(options?: {
+              inviteToken?: string;
+              memberRoleId?: string | undefined;
+              oidcIntegrationId?: string | undefined;
+              resources?: GraphQLSchema.ResourceAssignmentInput | undefined;
+            }) {
+              const { inviteToken, memberRoleId, oidcIntegrationId, resources } = Object.assign(
+                options ?? {},
+                {
+                  inviteToken: ownerToken,
+                },
+              );
               const memberEmail = userEmail(generateUnique());
-              const memberToken = await authenticate(memberEmail).then(r => r.access_token);
+              const memberToken = await authenticate(memberEmail, oidcIntegrationId).then(
+                r => r.access_token,
+              );
 
-              const invitationResult = await inviteToOrganization(
-                {
-                  organization: {
-                    bySelector: {
-                      organizationSlug: organization.slug,
+              if (!oidcIntegrationId) {
+                const invitationResult = await inviteToOrganization(
+                  {
+                    organization: {
+                      bySelector: {
+                        organizationSlug: organization.slug,
+                      },
                     },
+                    email: memberEmail,
+                    memberRoleId,
+                    resources,
                   },
-                  email: memberEmail,
-                  memberRoleId,
-                  resources,
-                },
-                inviteToken,
-              ).then(r => r.expectNoGraphQLErrors());
-
-              const code =
-                invitationResult.inviteToOrganizationByEmail.ok?.createdOrganizationInvitation.code;
+                  inviteToken,
+                ).then(r => r.expectNoGraphQLErrors());
+                const code =
+                  invitationResult.inviteToOrganizationByEmail.ok?.createdOrganizationInvitation
+                    .code;
+
+                if (!code) {
+                  throw new Error(
+                    `Could not create invitation for ${memberEmail} to join org ${organization.slug}`,
+                  );
+                }
 
-              if (!code) {
-                throw new Error(
-                  `Could not create invitation for ${memberEmail} to join org ${organization.slug}`,
+                const joinResult = await joinOrganization(code, memberToken).then(r =>
+                  r.expectNoGraphQLErrors(),
                 );
+
+                if (joinResult.joinOrganization.__typename !== 'OrganizationPayload') {
+                  throw new Error(
+                    `Member ${memberEmail} could not join organization ${organization.slug}`,
+                  );
+                }
               }
 
-              const joinResult = await joinOrganization(code, memberToken).then(r =>
+              const orgAfterJoin = await getOrganization(organization.slug, memberToken).then(r =>
                 r.expectNoGraphQLErrors(),
               );
+              const member = orgAfterJoin.organization?.me;
 
-              if (joinResult.joinOrganization.__typename !== 'OrganizationPayload') {
+              if (!member) {
                 throw new Error(
-                  `Member ${memberEmail} could not join organization ${organization.slug}`,
+                  `Could not retrieve membership for ${memberEmail} in ${organization.slug} after joining`,
                 );
               }
 
-              const member = joinResult.joinOrganization.organization.me;
-
               return {
                 member,
                 memberEmail,
Original file line number	Diff line number	Diff line change
`@@ -156,6 +156,17 @@ export function getOrganization(organizationSlug: string, authToken: string) {`
`156`	`156`	`reportingOperations`
`157`	`157`	`enablingUsageBasedBreakingChanges`
`158`	`158`	`}`
	`159`	`+ me {`
	`160`	`+ id`
	`161`	`+ user {`
	`162`	`+ id`
	`163`	`+ }`
	`164`	`+ role {`
	`165`	`+ id`
	`166`	`+ name`
	`167`	`+ permissions`
	`168`	`+ }`
	`169`	`+ }`
`159`	`170`	`}`
`160`	`171`	`}`
`161`	`172`	`),