wip: zen

packages/console/function/src/auth.ts

@@ -15,6 +15,8 @@ import { User } from "@opencode-ai/console-core/user.js"
 import { and, Database, eq, isNull } from "@opencode-ai/console-core/drizzle/index.js"
 import { WorkspaceTable } from "@opencode-ai/console-core/schema/workspace.sql.js"
 import { UserTable } from "@opencode-ai/console-core/schema/user.sql.js"
+import { AuthTable } from "@opencode-ai/console-core/schema/auth.sql.js"
+import { Identifier } from "@opencode-ai/console-core/identifier.js"
 
 type Env = {
   AuthStorage: KVNamespace
@@ -102,6 +104,7 @@ export default {
       async success(ctx, response) {
         console.log(response)
 
+        let subject: string | undefined
         let email: string | undefined
 
         if (response.provider === "github") {
@@ -112,25 +115,77 @@ export default {
               Accept: "application/vnd.github+json",
             },
           }).then((x) => x.json())) as any
+          const user = (await fetch("https://api.github.com/user", {
+            headers: {
+              Authorization: `Bearer ${response.tokenset.access}`,
+              "User-Agent": "opencode",
+              Accept: "application/vnd.github+json",
+            },
+          }).then((x) => x.json())) as any
+          subject = user.id.toString()
           email = emails.find((x: any) => x.primary && x.verified)?.email
         } else if (response.provider === "google") {
           if (!response.id.email_verified) throw new Error("Google email not verified")
+          subject = response.id.sub as string
           email = response.id.email as string
         } else throw new Error("Unsupported provider")
 
         if (!email) throw new Error("No email found")
+        if (!subject) throw new Error("No subject found")
 
         if (Resource.App.stage !== "production" && !email.endsWith("@anoma.ly")) {
           throw new Error("Invalid email")
         }
 
-        let accountID = await Account.fromEmail(email).then((x) => x?.id)
-        if (!accountID) {
-          console.log("creating account for", email)
-          accountID = await Account.create({
-            email: email!,
-          })
-        }
+        // Get account
+        const accountID = await (async () => {
+          // check provider mapping
+          const idByProvider = await Database.use(async (tx) =>
+            tx
+              .select({ accountID: AuthTable.accountID })
+              .from(AuthTable)
+              .where(and(eq(AuthTable.provider, response.provider), eq(AuthTable.subject, subject)))
+              .then((rows) => rows[0]?.accountID),
+          )
+          // check email mapping
+          const idByEmail = await Account.fromEmail(email).then((x) => x?.id)
+          if (idByProvider && idByEmail) return idByProvider
+
+          // create account if not found
+          let accountID = idByProvider ?? idByEmail
+          if (!accountID) {
+            console.log("creating account for", email)
+            accountID = await Account.create({ email: email! })
+          }
+
+          await Database.use(async (tx) =>
+            tx
+              .insert(AuthTable)
+              .values([
+                {
+                  id: Identifier.create("auth"),
+                  accountID,
+                  provider: response.provider,
+                  subject,
+                },
+                {
+                  id: Identifier.create("auth"),
+                  accountID,
+                  provider: "email",
+                  subject: email,
+                },
+              ])
+              .onDuplicateKeyUpdate({
+                set: {
+                  timeDeleted: null,
+                },
+              }),
+          )
+
+          return accountID
+        })()
+
+        // Get workspace
         await Actor.provide("account", { accountID, email }, async () => {
           await User.joinInvitedWorkspaces()
           const workspaces = await Database.transaction(async (tx) =>