JMCP: Papers - jmcp/wire-up-real-orcid-oauth-callback-route--qXIh7dlf#7
Merged
landigf merged 1 commit intoMar 25, 2026
Merged
Conversation
…eds actual token exchange and profile linking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Review Summary
Change Summary
Three files, two concerns:
packages/auth/src/index.ts— Adds adatabaseHooks.account.create.afterhook so that when an ORCID account is linked via Better Auth, the user'sprofiles.orcidcolumn is populated with the ORCID iD (account.accountId).apps/web/app/api/auth/orcid/link/route.ts(new) — A/api/auth/orcid/linkGET route that proxies into Better Auth'ssign-in/socialendpoint for ORCID, forwarding cookies and redirecting the user to the ORCID authorization URL (or back to settings on failure).apps/web/app/settings/identity/page.tsx— Shows the linked ORCID iD when present, and renders a "Link ORCID" button when managed auth is active, ORCID is configured, and no iD is linked yet.Validation Confidence: Medium
genericOAuth+ a database hook is the right-weight solution.disableImplicitSignUp: trueis already set, which is correct for linking (existing user only).Risks That Still Remain
/api/auth/orcid/link— an unauthenticated visitor can hit this route. Better Auth's social sign-in may still require a session, but an explicit session check + early 401 would be safer and give a clear error.createonly — if a user re-links ORCID (e.g., changed ORCID iD), the existingaccountrow may be updated rather than created, and the hook won't fire. Consider also hookingaccount.update.after.?error=orcid-link-failedbut the settings page doesn't read or display that query param, so the user sees no feedback on failure.profilesrow must already exist — thedb.update(profiles)in the hook silently affects 0 rows if the profile hasn't been seeded yet. An upsert or a pre-check would be more defensive.sign-in/socialgenerates and validatesstate.@orcid.localsentinel email inmapProfileToUser— if Better Auth enforces email uniqueness this could collide if two users somehow get the same sub, or cause confusion in logs/admin. Minor but worth a note.