Issue with Merging Guest User into SSO Authenticated User

[lukevella]

Description

We've identified an issue in our SSO authentication flow where a user is authenticated before they are created in the database. This results in an incorrect assignment of polls to the user.

Details

During the first-time SSO login, the mergeGuestsIntoUser function is called to assign any existing guest polls to the newly authenticated user. However, at this point in the process, the user has not yet been created in the database. As a result, the polls are assigned a user_id value that corresponds to the provider_account_id, not the actual user_id.

This incorrect assignment necessitates a second merge operation further down the line to reassign the polls to the correct user_id once the user has been created in the database.

Expected Behavior

The expected behavior is that during the first-time SSO login, after the user is authenticated, the user should be created in the database. Only then should the mergeGuestsIntoUser function be called to assign any existing guest polls to the newly authenticated user. The polls should be assigned the correct user_id value at this time, eliminating the need for a second merge operation.

Suggested Fix

This is a complex issue that requires a deep understanding of how next-auth works and could potentially require significant changes in how authentication works in the app. Difficulty arises due to the fact that guest sessions are currently being handled through next-auth which means when a user authenticates the contents of the session cookie is overwritten which limits the window in which we are able to identity which guest session should be attributed to the newly authenticated user. A solution could be to separate the two so that guest sessions run in parallel to next-auth sessions. This should allow us to perform the merge at a part of the authentication flow when the user is guaranteed to have been created.