When the user successfully links their LTI login to an existing account, we clear the PartialRegistration in the account linking service. However, if they instead select to continue with a new roster-synced account, we set their lms_landing_opted_out flag but leave the PartialRegistration. If they subsequently add an OAuth login to their account prior to the PartialRegistration cache expiring, then hit the OAuth login route for that provider, the OmniauthCallbacksController will recognize them as still in the account linking flow, and pass their user object into the account linking. This inadvertently deletes their account and actually sort of unlinks it, because the account they had previously linked their OAuth login to is now gone.

Repro steps:

• Sync an LTI course, creating students
• Launch as one of the students, selecting Continue from the account linking page
• In the same session, go to Account Settings and link Clever
• From the Clever dashboard, launch the tool (or otherwise hit the OAuth login route)
• You should get hit with an error, and your account will effectively be unlinked.

More info in the JIRA attachments, including the Statsig event log for the user that hit this error in prod, showing the breadcrumbs that lead to these repro steps.

This PR fixes the bug by:

• Clearing the PartialRegistration after the user selects Continue
• Hardening the should_link_accounts? check in OmniauthCallbackController, so that it respects the lms_landing_opted_out flag.

Links

JIRA

Testing story

Deployment notes

Privacy and security