From 8f8a4153b6579525c205bec3c64bd298abf4e497 Mon Sep 17 00:00:00 2001
From: Puranjay Savar Mattas <puranjaysavarmattas@gmail.com>
Date: Fri, 1 Aug 2025 10:39:41 +0000
Subject: [PATCH] fix(auth): prevent duplicate user creation on OIDC login

Adds a check to ensure a user with the same email address does not already exist before creating a
new user during an OIDC callback. If a duplicate email is found, the process is aborted with a 409
Conflict error.

Addresses https://github.com/fallenbagel/jellyseerr/pull/1505#discussion_r2195036663
---
 server/routes/auth.ts | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/server/routes/auth.ts b/server/routes/auth.ts
index fb8697bb0..2fa7c6cce 100644
--- a/server/routes/auth.ts
+++ b/server/routes/auth.ts
@@ -939,6 +939,19 @@ authRoutes.get('/oidc/callback/:slug', async (req, res, next) => {
 
     // Create user if one doesn't already exist
     if (!user && fullUserInfo.email != null && provider.newUserLogin) {
+      // Check if a user with this email already exists
+      const existingUser = await userRepository.findOne({
+        where: { email: fullUserInfo.email },
+      });
+
+      if (existingUser) {
+        // If a user with the email exists, throw a 409 Conflict error
+        return next({
+          status: 409,
+          message: 'A user with this email address already exists.',
+        });
+      }
+
       logger.info(`Creating user for ${fullUserInfo.email}`, {
         ip: req.ip,
         email: fullUserInfo.email,