making auto linking optional

[mohammed-bahumaish]

Description 📓

as mentioned in the documentation:
With automatic account linking on sign in, this can be exploited by bad actors to hijack accounts by creating an OAuth account associated with the email address of another user.
but i think it would be awesome if it's optional.

this is how i added the auto linking in the callback handler
const userByEmail = profile.email ? await getUserByEmail(profile.email) : null; if (!userByEmail) { const newUser = { ...profile, emailVerified: null }; delete newUser.id; user = await createUser(newUser); await ((_events$createUser2 = events.createUser) === null || _events$createUser2 === void 0 ? void 0 : _events$createUser2.call(events, { user, })); } user = userByEmail;

in this feature request i want to make it optional.

How to reproduce ☕️

having user table. but not account table in the db for a user.

Contributing 🙌🏽

Yes, I am willing to help implement this feature in a PR

[mohammed-bahumaish]

i would like to give an example of when this feature would be helpful.
in my use case, my client has an old database which has users table which want to integrate into the new site.
the new site will have signing in with Google or Email.
i want the old users to be able to sign in with both. but with the current situation it's not possible to make them able to sign in with Google. only if i don't use the database provider with next-auth and with extra code. i had to fork the lib and modify it to have this possible. but i think many people could run into the same issue. so that's why if it's optional to make the auto linking that would be very helpful for many people.
i understand it has risks and can be exploited, but in some use cases there is no risk, and it would be better if the user have the option to use auto linking.