fix: return 409 when unverified OAuth email conflicts with existing account

Before: branch 3 of oauth_callback attempted to INSERT a user with a duplicate email → DB constraint violation → 500. After: if email_verified=False and the email already exists, raise 409 with a message directing the user to sign in with their password. Also adds test_callback_unverified_email_conflict_returns_409. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 13:46:15 +02:00
parent c1a8ac7669
commit 90500a3462
2 changed files with 26 additions and 0 deletions
--- a/app/api/routes/auth.py
+++ b/app/api/routes/auth.py
@@ -460,6 +460,17 @@ async def oauth_callback(
            await db.commit()
            return tokens

+    # Guard: if the email is already taken but we couldn't auto-link (e.g.
+    # email_verified=False), refuse with 409 instead of hitting a DB constraint.
+    if not userinfo.email_verified:
+        conflict = await db.execute(select(User).where(User.email == userinfo.email))
+        if conflict.scalar_one_or_none() is not None:
+            raise HTTPException(
+                status.HTTP_409_CONFLICT,
+                "An account with this email already exists. "
+                "Please sign in with your password.",
+            )
+
    # 3. New user — social-only account (no password).
    new_user = User(
        id=str(uuid.uuid4()),