Discord OAuth Login Fix - No More Account Auto-Creation

cgen-8d4327300cf14effabebf3e6d3763e8e

docs/DISCORD-OAUTH-NO-AUTO-CREATE.md

@@ -0,0 +1,90 @@
+# Discord OAuth Login Fix - Account Auto-Creation Removed
+
+## Problem
+When logging in via Discord OAuth with an email that doesn't match any existing AeThex account, the system was automatically creating a brand new account.
+
+**Example**:
+- You have an AeThex account: `mrpiglr@gmail.com`
+- Your Discord email: `someone@discord-email.com`
+- **Before**: Clicking "Continue with Discord" created a NEW account with `someone@discord-email.com`
+- **Result**: You had two accounts and couldn't access your original account
+
+## Solution
+Discord OAuth login now requires an exact email match. If the Discord email doesn't match an existing account:
+1. User is redirected to `/login` with error message
+2. Error message: "Discord email (xxx@example.com) not found. Please sign in with your email account first, then link Discord from settings."
+3. User signs in with their email (e.g., `mrpiglr@gmail.com`)
+4. User goes to Dashboard → Connections → Link Discord
+5. Discord is now linked to the existing account
+
+## Changed Files
+- `code/api/discord/oauth/callback.ts`: Removed auto-account-creation logic
+  - No longer creates new auth users
+  - No longer creates new user profiles
+  - Only links Discord if email matches existing account
+  - Redirects to login if no email match
+
+## New User Flow
+Users with NO existing AeThex account:
+1. Click "Continue with Discord" on `/login`
+2. Authorize Discord
+3. If Discord email matches an existing account → Linked + logged in ✅
+4. If Discord email is NEW → Redirected to `/login` with error ⚠️
+   - They must create account via Email/Password OR continue with GitHub/Google (if available)
+   - Then they can link Discord from Dashboard
+
+## For You Specifically
+Your situation:
+1. ✅ You have AeThex account: `mrpiglr@gmail.com`
+2. ✅ Your Discord email is different
+3. **New behavior**: Clicking "Continue with Discord" now shows error
+4. **What to do**:
+   - Go to `/login` and sign in with `mrpiglr@gmail.com` password
+   - Go to `/dashboard?tab=connections`
+   - Click "Link Discord"
+   - Authorize Discord
+   - ✅ Discord is now linked to `mrpiglr@gmail.com` account
+
+## Testing
+
+### Test Case 1: Existing User, Matching Email
+```
+1. Create account with Discord email: person@example.com
+2. Logout
+3. Click "Continue with Discord"
+4. Should login to existing account (not create new)
+✅ Success: Only one account
+```
+
+### Test Case 2: Existing User, Different Email
+```
+1. Create account: mrpiglr@gmail.com (email/password)
+2. Discord email: something_else@example.com
+3. Click "Continue with Discord"
+4. Should see error: "Discord email not found"
+5. Sign in with mrpiglr@gmail.com
+6. Go to Dashboard → Link Discord
+✅ Success: Discord linked to correct account
+```
+
+### Test Case 3: New User, No Existing Account
+```
+1. Click "Continue with Discord" (no account exists)
+2. Discord email: new_user@example.com
+3. Should see error: "Discord email not found"
+4. User must sign up with email/password or other OAuth first
+✅ Success: No auto-created account with mismatched email
+```
+
+## Why This Change?
+- **Prevents account duplication**: No more accidentally creating second accounts
+- **User confusion prevented**: Users see clear error message explaining what to do
+- **Email consistency**: Each AeThex account now has one email, reducing support issues
+- **Better linking experience**: Forces intentional linking, not accidental account creation
+
+## Rollback (if needed)
+If this change causes issues, the old behavior can be restored by:
+1. Uncommenting the account creation logic in `code/api/discord/oauth/callback.ts`
+2. Using the `isNewUser` flag to redirect to onboarding for new accounts
+
+However, this will re-introduce the original problem.