fix(auth): prevent duplicate user creation on OIDC login

Adds a check to ensure a user with the same email address does not already exist before creating a new user during an OIDC callback. If a duplicate email is found, the process is aborted with a 409 Conflict error. Addresses https://github.com/fallenbagel/jellyseerr/pull/1505#discussion_r2195036663
2025-12-24 02:39:18 -05:00 · 2025-08-01 10:39:41 +00:00
parent f4988aba15
commit 8f8a4153b6
1 changed files with 13 additions and 0 deletions
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -939,6 +939,19 @@ authRoutes.get('/oidc/callback/:slug', async (req, res, next) => {

    // Create user if one doesn't already exist
    if (!user && fullUserInfo.email != null && provider.newUserLogin) {
+      // Check if a user with this email already exists
+      const existingUser = await userRepository.findOne({
+        where: { email: fullUserInfo.email },
+      });
+
+      if (existingUser) {
+        // If a user with the email exists, throw a 409 Conflict error
+        return next({
+          status: 409,
+          message: 'A user with this email address already exists.',
+        });
+      }
+
      logger.info(`Creating user for ${fullUserInfo.email}`, {
        ip: req.ip,
        email: fullUserInfo.email,