fix: Improved handling of authentication edge-cases (#2023)

* fix: authentication records not cleaned up for deleted user
closes #2022

* fix: Improve debugging for duplicate providerId sign-in requests

server/commands/userCreator.js

@@ -37,7 +37,6 @@ export default async function userCreator({
   const { authenticationProviderId, providerId, ...rest } = authentication;
   const auth = await UserAuthentication.findOne({
     where: {
-      authenticationProviderId,
       providerId,
     },
     include: [
@@ -53,10 +52,27 @@ export default async function userCreator({
   if (auth) {
     const { user } = auth;
 
-    await user.update({ email });
-    await auth.update(rest);
+    // We found an authentication record that matches the user id, but it's
+    // associated with a different authentication provider, (eg a different
+    // hosted google domain). This is possible in Google Auth when moving domains.
+    // In the future we may auto-migrate these.
+    if (auth.authenticationProviderId !== authenticationProviderId) {
+      throw new Error(
+        `User authentication ${providerId} already exists for ${auth.authenticationProviderId}, tried to assign to ${authenticationProviderId}`
+      );
+    }
 
-    return { user, authentication: auth, isNewUser: false };
+    if (user) {
+      await user.update({ email });
+      await auth.update(rest);
+
+      return { user, authentication: auth, isNewUser: false };
+    }
+
+    // We found an authentication record, but the associated user was deleted or
+    // otherwise didn't exist. Cleanup the auth record and proceed with creating
+    // a new user. See: https://github.com/outline/outline/issues/2022
+    await auth.destroy();
   }
 
   // A `user` record might exist in the form of an invite even if there is no