appwrite
diff --git a/‎app/controllers/api/account.php‎
Lines changed: 14 additions & 9 deletions b/‎app/controllers/api/account.php‎
Lines changed: 14 additions & 9 deletions
@@ -1664,6 +1664,20 @@ function sendSessionAlert(Locale $locale, Document $user, Document $project, arr
                 }
             }
 
+            // If user is not found, check if there is an identity with the same email
+            // Only allow connecting to existing account if OAuth provider verified the email
+            if ($user === false || $user->isEmpty()) {
+                $identityWithMatchingEmail = $dbForProject->findOne('identities', [
+                    Query::equal('providerEmail', [$email]),
+                ]);
+                if (!$identityWithMatchingEmail->isEmpty()) {
+                    if (!$isVerified) {
+                        $failureRedirect(Exception::GENERAL_BAD_REQUEST);
+                    }
+                    $user->setAttributes($dbForProject->getDocument('users', $identityWithMatchingEmail->getAttribute('userId'))->getArrayCopy());
+                }
+            }
+
             if ($user === false || $user->isEmpty()) { // Last option -> create the user
                 $limit = $project->getAttribute('auths', [])['limit'] ?? 0;
 
@@ -1675,14 +1689,6 @@ function sendSessionAlert(Locale $locale, Document $user, Document $project, arr
                     }
                 }
 
-                // Makes sure this email is not already used in another identity
-                $identityWithMatchingEmail = $dbForProject->findOne('identities', [
-                    Query::equal('providerEmail', [$email]),
-                ]);
-                if (!$identityWithMatchingEmail->isEmpty()) {
-                    $failureRedirect(Exception::GENERAL_BAD_REQUEST); /** Return a generic bad request to prevent exposing existing accounts */
-                }
-
                 try {
                     $emailCanonical = new Email($email);
                 } catch (Throwable) {
@@ -1736,7 +1742,6 @@ function sendSessionAlert(Locale $locale, Document $user, Document $project, arr
                         'providerType' => MESSAGE_TYPE_EMAIL,
                         'identifier' => $email,
                     ]));
-
                 } catch (Duplicate) {
                     $failureRedirect(Exception::USER_ALREADY_EXISTS);
                 }