fix: do not query user_link for deleted accounts (#12112)

coderd/database/dbmem/dbmem.go

@@ -3787,6 +3787,10 @@ func (q *FakeQuerier) GetUserLinkByLinkedID(_ context.Context, id string) (datab
 	defer q.mutex.RUnlock()
 
 	for _, link := range q.userLinks {
+		user, err := q.getUserByIDNoLock(link.UserID)
+		if err == nil && user.Deleted {
+			continue
+		}
 		if link.LinkedID == id {
 			return link, nil
 		}

coderd/database/queries.sql.go

@@ -7088,11 +7088,15 @@ func (q *sqlQuerier) InsertTemplateVersionVariable(ctx context.Context, arg Inse
 
 const getUserLinkByLinkedID = `-- name: GetUserLinkByLinkedID :one
 SELECT
-	user_id, login_type, linked_id, oauth_access_token, oauth_refresh_token, oauth_expiry, oauth_access_token_key_id, oauth_refresh_token_key_id, debug_context
+	user_links.user_id, user_links.login_type, user_links.linked_id, user_links.oauth_access_token, user_links.oauth_refresh_token, user_links.oauth_expiry, user_links.oauth_access_token_key_id, user_links.oauth_refresh_token_key_id, user_links.debug_context
 FROM
 	user_links
+INNER JOIN
+	users ON user_links.user_id = users.id
 WHERE
 	linked_id = $1
+	AND
+	deleted = false
 `
 
 func (q *sqlQuerier) GetUserLinkByLinkedID(ctx context.Context, linkedID string) (UserLink, error) {

coderd/database/queries/user_links.sql

@@ -1,10 +1,14 @@
 -- name: GetUserLinkByLinkedID :one
 SELECT
-	*
+	user_links.*
 FROM
 	user_links
+INNER JOIN
+	users ON user_links.user_id = users.id
 WHERE
-	linked_id = $1;
+	linked_id = $1
+	AND
+	deleted = false;
 
 -- name: GetUserLinkByUserIDLoginType :one
 SELECT

coderd/userauth_test.go

@@ -603,6 +603,11 @@ func TestUserOAuth2Github(t *testing.T) {
 
 		require.Equal(t, http.StatusUnauthorized, resp.StatusCode)
 	})
+
+	// The bug only is exercised when a deleted user with the same linked_id exists.
+	// Still related open issues:
+	// - https://github.com/coder/coder/issues/12116
+	// - https://github.com/coder/coder/issues/12115
 	t.Run("ChangedEmail", func(t *testing.T) {
 		t.Parallel()
 
@@ -627,7 +632,7 @@ func TestUserOAuth2Github(t *testing.T) {
 			coderEmail,
 		}
 
-		client := coderdtest.New(t, &coderdtest.Options{
+		owner := coderdtest.New(t, &coderdtest.Options{
 			Auditor: auditor,
 			GithubOAuth2Config: &coderd.GithubOAuth2Config{
 				AllowSignups:  true,
@@ -650,9 +655,21 @@ func TestUserOAuth2Github(t *testing.T) {
 				},
 			},
 		})
+		coderdtest.CreateFirstUser(t, owner)
 
-		ctx := testutil.Context(t, testutil.WaitMedium)
-		// This should register the user
+		ctx := testutil.Context(t, testutil.WaitLong)
+		// Create the user, then delete the user, then create again.
+		// This causes the email change to fail.
+		client := codersdk.New(owner.URL)
+
+		client, _ = fake.Login(t, client, jwt.MapClaims{})
+		deleted, err := client.User(ctx, "me")
+		require.NoError(t, err)
+
+		err = owner.DeleteUser(ctx, deleted.ID)
+		require.NoError(t, err)
+
+		// Create the user again.
 		client, _ = fake.Login(t, client, jwt.MapClaims{})
 		user, err := client.User(ctx, "me")
 		require.NoError(t, err)
@@ -666,7 +683,8 @@ func TestUserOAuth2Github(t *testing.T) {
 		client, _ = fake.Login(t, client, jwt.MapClaims{})
 		user, err = client.User(ctx, "me")
 		require.NoError(t, err)
-		require.Equal(t, user.ID, userID)
+
+		require.Equal(t, user.ID, userID, "user_id is different, a new user was likely created")
 		require.Equal(t, user.Email, *gmailEmail.Email)
 
 		// Entirely change emails.
@@ -681,7 +699,8 @@ func TestUserOAuth2Github(t *testing.T) {
 		client, _ = fake.Login(t, client, jwt.MapClaims{})
 		user, err = client.User(ctx, "me")
 		require.NoError(t, err)
-		require.Equal(t, user.ID, userID)
+
+		require.Equal(t, user.ID, userID, "user_id is different, a new user was likely created")
 		require.Equal(t, user.Email, newEmail)
 	})
 }