Disable new user registration

[aivar]

Hi guys, I'm stuck.

My usecase is simple - I want to disable new user registration, but allow existing users to add different accounts (eg google, facebook login etc).
I am using mysql for persistence and jwt tokens for sessions. I have currently 3 test users who can log on fine with email (Providers.email). Provider for facebook oauth is set up and works.

The documentation I found on https://next-auth.js.org/configuration/callbacks#sign-in-callback claims, that I should be able to check existance of user.id field in the passed user object.
This works well when user is using email provider, eg there is a db call of getUserByEmail, if found, the user object is populated from existing db record, if not, then the user does not exist and signin response can be false.

HOWEVER as much as i can see, this does NOT happen when existing user tries to log on first time with oauth provider (for example Facebook). The contents of user object only have name, email and image and there are no calls towards users table in the database and no user.id.

So, in reality, the proposed check for user.id existence does not only disable registering new users, it ALSO disables adding new accounts to existing users. I think the reason here is that linking of account to existing user happens after successful login, but there is no callback for that I can find.

Can you please point me to a good solution how to still allow people i manually add to users table to be able to log in using their choice of oauth provider?

For example:

1. how can i reuse nextauth db adapter to run my own getUserByEmail from inside signin callback?
2. how can i modify nextauth behaviour to look up user based on email returned from oauth provider before signin callback?
3. or is there another callback point i can use?

Thanks in advance!

P.S I would really like to see unification of login flows, eg that also provider.email would create a separate account and link it to the user.
P.P.S yes, i can remove insert right from users table in the db side of things, but seriously...

[aivar]

Looking @ This explanation on linking accounts, i think i misunderstood the actual root cause and overestimated the automatic linking capacity of current nextauth version. Cannot get scenario 2 from the answer there to work either, no linking is happening and no new account record is created when logged in user re-logs in with different oauth provider.

I do understand reasoning, that not all oauth providers do good checks on email validity. BUT we, as devs&admins, select which providers are enabled on our web and which are not. So the decision of whether to autolink accounts or not should be ours -- and possibly doable on provider conf level. Right now i would call the customer flow completely unintuitive.

So, do i understand correctly, that in the current version of nextauth, users are stuck with whatever oauth provider they chose first + if they chose to log in using email first, there is no way (please show me if there is!) for them to switch over to any oauth providers?