VCST-4570: Error handling for duplicated emails in DB (#2981)

OlegoO · web-flow · commit 23904f4dde30 · 2026-02-23T19:54:35.000+02:00
diff --git a/src/VirtoCommerce.Platform.Security/CustomUserManager.cs b/src/VirtoCommerce.Platform.Security/CustomUserManager.cs
@@ -12,6 +12,7 @@
 using VirtoCommerce.Platform.Core.Security;
 using VirtoCommerce.Platform.Core.Security.Events;
 using VirtoCommerce.Platform.Security.Caching;
+using VirtoCommerce.Platform.Security.Exceptions;
 using VirtoCommerce.Platform.Security.Model;
 using VirtoCommerce.Platform.Security.Repositories;
 
@@ -63,7 +64,17 @@ public override Task<ApplicationUser> FindByEmailAsync(string email)
             var cacheKey = CacheKey.With(GetType(), nameof(FindByEmailAsync), email);
             return _memoryCache.GetOrCreateExclusiveAsync(cacheKey, async cacheEntry =>
             {
-                var user = await base.FindByEmailAsync(email);
+                ApplicationUser user;
+
+                try
+                {
+                    user = await base.FindByEmailAsync(email);
+                }
+                catch (InvalidOperationException ex) when (ex.StackTrace?.Contains("SingleOrDefault") == true)
+                {
+                    throw new DuplicateEmailException(email, ex);
+                }
+
                 if (user is not null)
                 {
                     await LoadUserDetailsAsync(user);
diff --git a/src/VirtoCommerce.Platform.Security/Exceptions/DuplicateEmailException.cs b/src/VirtoCommerce.Platform.Security/Exceptions/DuplicateEmailException.cs
@@ -0,0 +1,18 @@
+using System;
+using VirtoCommerce.Platform.Core.Exceptions;
+
+namespace VirtoCommerce.Platform.Security.Exceptions
+{
+    public class DuplicateEmailException : PlatformException
+    {
+        public DuplicateEmailException(string email)
+            : base($"Multiple accounts are associated with the email '{email}'.")
+        {
+        }
+
+        public DuplicateEmailException(string email, Exception innerException)
+            : base($"Multiple accounts are associated with the email '{email}'.", innerException)
+        {
+        }
+    }
+}
diff --git a/src/VirtoCommerce.Platform.Security/OpenIddict/SecurityErrorDescriber.cs b/src/VirtoCommerce.Platform.Security/OpenIddict/SecurityErrorDescriber.cs
@@ -67,5 +67,12 @@ public static class SecurityErrorDescriber
             Code = nameof(UnsupportedGrantType).ToSnakeCase(),
             ErrorDescription = "The specified grant type is not supported."
         };
+
+        public static TokenResponse DuplicateEmailLoginAttempt() => new()
+        {
+            Error = Errors.InvalidGrant,
+            Code = nameof(DuplicateEmailLoginAttempt).ToSnakeCase(),
+            ErrorDescription = "Multiple accounts are associated with this email. Please use your username to login."
+        };
     }
 }
diff --git a/src/VirtoCommerce.Platform.Web/Controllers/Api/AuthorizationController.cs b/src/VirtoCommerce.Platform.Web/Controllers/Api/AuthorizationController.cs
@@ -20,6 +20,7 @@
 using VirtoCommerce.Platform.Core.Security.Events;
 using VirtoCommerce.Platform.Core.Security.ExternalSignIn;
 using VirtoCommerce.Platform.Security.Authorization;
+using VirtoCommerce.Platform.Security.Exceptions;
 using VirtoCommerce.Platform.Security.Extensions;
 using VirtoCommerce.Platform.Security.Model.OpenIddict;
 using VirtoCommerce.Platform.Security.OpenIddict;
@@ -134,10 +135,18 @@ public async Task<ActionResult> Exchange()
 
                 var user = await _userManager.FindByNameAsync(openIdConnectRequest.Username);
 
-                // Allows signin to back office by either username (login) or email if IdentityOptions.User.RequireUniqueEmail is True. 
+                // Allows signin to back office by either username (login) or email if IdentityOptions.User.RequireUniqueEmail is True.
                 if (user is null && _identityOptions.User.RequireUniqueEmail)
                 {
-                    user = await _userManager.FindByEmailAsync(openIdConnectRequest.Username);
+                    try
+                    {
+                        user = await _userManager.FindByEmailAsync(openIdConnectRequest.Username);
+                    }
+                    catch (DuplicateEmailException)
+                    {
+                        await delayedResponse.FailAsync();
+                        return BadRequest(SecurityErrorDescriber.DuplicateEmailLoginAttempt());
+                    }
                 }
 
                 if (user is null)
@@ -153,7 +162,16 @@ public async Task<ActionResult> Exchange()
                 }
 
                 // Validate the username/password parameters and ensure the account is not locked out.
-                context.SignInResult = await _signInManager.CheckPasswordSignInAsync(user, openIdConnectRequest.Password, lockoutOnFailure: true);
+                try
+                {
+                    context.SignInResult = await _signInManager.CheckPasswordSignInAsync(user, openIdConnectRequest.Password, lockoutOnFailure: true);
+                }
+                catch (DuplicateEmailException)
+                {
+                    await delayedResponse.FailAsync();
+                    return BadRequest(SecurityErrorDescriber.DuplicateEmailLoginAttempt());
+                }
+
                 context.User = user.CloneTyped();
 
                 foreach (var requestValidator in _requestValidators)
@@ -172,7 +190,16 @@ public async Task<ActionResult> Exchange()
                 // Create a new authentication ticket.
                 var ticket = await CreateTicketAsync(user, context);
 
-                await SetLastLoginDate(user);
+                try
+                {
+                    await SetLastLoginDate(user);
+                }
+                catch (DuplicateEmailException)
+                {
+                    await delayedResponse.FailAsync();
+                    return BadRequest(SecurityErrorDescriber.DuplicateEmailLoginAttempt());
+                }
+
                 await _eventPublisher.Publish(new UserLoginEvent(user));
 
                 await delayedResponse.SucceedAsync();
diff --git a/src/VirtoCommerce.Platform.Web/Controllers/Api/SecurityController.cs b/src/VirtoCommerce.Platform.Web/Controllers/Api/SecurityController.cs
@@ -19,6 +19,7 @@
 using VirtoCommerce.Platform.Core.Security;
 using VirtoCommerce.Platform.Core.Security.Events;
 using VirtoCommerce.Platform.Core.Security.Search;
+using VirtoCommerce.Platform.Security.Exceptions;
 using VirtoCommerce.Platform.Security.Extensions;
 using VirtoCommerce.Platform.Security.ExternalSignIn;
 using VirtoCommerce.Platform.Web.Model.Security;
@@ -137,10 +138,18 @@ public async Task<ActionResult<SignInResult>> Login([FromBody] LoginRequest requ
 
             var user = await UserManager.FindByNameAsync(request.UserName);
 
-            // Allows signin to back office by either username (login) or email if IdentityOptions.User.RequireUniqueEmail is True. 
+            // Allows signin to back office by either username (login) or email if IdentityOptions.User.RequireUniqueEmail is True.
             if (user == null && _identityOptions.User.RequireUniqueEmail)
             {
-                user = await UserManager.FindByEmailAsync(request.UserName);
+                try
+                {
+                    user = await UserManager.FindByEmailAsync(request.UserName);
+                }
+                catch (DuplicateEmailException)
+                {
+                    await delayedResponse.FailAsync();
+                    return Ok(SignInResult.Failed);
+                }
             }
 
             if (user == null)
@@ -417,11 +426,16 @@ public async Task<ActionResult<ApplicationUser>> GetUserById([FromRoute] string
         [Authorize(PlatformPermissions.SecurityQuery)]
         public async Task<ActionResult<ApplicationUser>> GetUserByEmail([FromRoute] string email)
         {
-            var result = await UserManager.FindByEmailAsync(email);
-
-            result = ReduceUserDetails(result);
-
-            return Ok(result);
+            try
+            {
+                var result = await UserManager.FindByEmailAsync(email);
+                result = ReduceUserDetails(result);
+                return Ok(result);
+            }
+            catch (DuplicateEmailException ex)
+            {
+                return BadRequest(new { message = ex.Message });
+            }
         }
 
         /// <summary>
@@ -664,7 +678,15 @@ public async Task<ActionResult> RequestPasswordReset(string loginOrEmail)
 
             if (user == null && _identityOptions.User.RequireUniqueEmail)
             {
-                user = await UserManager.FindByEmailAsync(loginOrEmail);
+                try
+                {
+                    user = await UserManager.FindByEmailAsync(loginOrEmail);
+                }
+                catch (DuplicateEmailException)
+                {
+                    await delayedResponse.FailAsync();
+                    return Ok();
+                }
             }
 
             // Return 200 to prevent potential user name/email harvesting

Original file line number	Diff line number	Diff line change
`@@ -67,5 +67,12 @@ public static class SecurityErrorDescriber`
`67`	`67`	`Code = nameof(UnsupportedGrantType).ToSnakeCase(),`
`68`	`68`	`ErrorDescription = "The specified grant type is not supported."`
`69`	`69`	`};`
	`70`	`+`
	`71`	`+ public static TokenResponse DuplicateEmailLoginAttempt() => new()`
	`72`	`+ {`
	`73`	`+ Error = Errors.InvalidGrant,`
	`74`	`+ Code = nameof(DuplicateEmailLoginAttempt).ToSnakeCase(),`
	`75`	`+ ErrorDescription = "Multiple accounts are associated with this email. Please use your username to login."`
	`76`	`+ };`
`70`	`77`	`}`
`71`	`78`	`}`