Connect social provider with existing account

[julianwitzel]

Feature Request: Link OAuth providers to existing accounts

Problem

When a user creates an account via email/password and later tries to log in with Google or GitHub OAuth using the same email address, Plunk treats it as a new signup attempt instead of linking the OAuth provider to the existing account.

With DISABLE_SIGNUPS=true, this results in a New user signups are currently disabled error. With signups enabled, the user sees You used another form of authentication and is redirected back to the login page without being logged in.

Expected behavior

If an OAuth login matches an existing account's email address, the OAuth provider should be linked to that account and the user should be logged in.

Suggested implementation

During the OAuth callback, check if a user with the same email already exists. If so, link the OAuth provider to the existing account instead of attempting to create a new one. This is a common pattern in platforms like GitLab, Supabase, and others.

Environment

• Plunk v0.6.0 (self-hosted, Docker)
• OAuth providers: Google and GitHub
• DISABLE_SIGNUPS=true

[driaug]

I am unsure if this is wanted behaviour for security reasons.

If you have an account with regular email/password and e.g. your Github account gets compromised that would mean that the attacker gets access to the Plunk account despite not knowing the password