fix: Concurrent signup with same authentication creates duplicate users (#10149)

Author: mtrezza

spec/AuthDataUniqueIndex.spec.js

@@ -0,0 +1,210 @@
+'use strict';
+
+const request = require('../lib/request');
+const Config = require('../lib/Config');
+
+describe('AuthData Unique Index', () => {
+  const fakeAuthProvider = {
+    validateAppId: () => Promise.resolve(),
+    validateAuthData: () => Promise.resolve(),
+  };
+
+  beforeEach(async () => {
+    await reconfigureServer({ auth: { fakeAuthProvider } });
+  });
+
+  it('should prevent concurrent signups with the same authData from creating duplicate users', async () => {
+    const authData = { fakeAuthProvider: { id: 'duplicate-test-id', token: 'token1' } };
+
+    // Fire multiple concurrent signup requests with the same authData
+    const concurrentRequests = Array.from({ length: 5 }, () =>
+      request({
+        method: 'POST',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        url: 'http://localhost:8378/1/users',
+        body: { authData },
+      }).then(
+        response => ({ success: true, data: response.data }),
+        error => ({ success: false, error: error.data || error.message })
+      )
+    );
+
+    const results = await Promise.all(concurrentRequests);
+    const successes = results.filter(r => r.success);
+    const failures = results.filter(r => !r.success);
+
+    // All should either succeed (returning the same user) or fail with "this auth is already used"
+    // The key invariant: only ONE unique objectId should exist
+    const uniqueObjectIds = new Set(successes.map(r => r.data.objectId));
+    expect(uniqueObjectIds.size).toBe(1);
+
+    // Failures should be "this auth is already used" errors
+    for (const failure of failures) {
+      expect(failure.error.code).toBe(208);
+      expect(failure.error.error).toBe('this auth is already used');
+    }
+
+    // Verify only one user exists in the database with this authData
+    const query = new Parse.Query('_User');
+    query.equalTo('authData.fakeAuthProvider.id', 'duplicate-test-id');
+    const users = await query.find({ useMasterKey: true });
+    expect(users.length).toBe(1);
+  });
+
+  it('should prevent concurrent signups via batch endpoint with same authData', async () => {
+    const authData = { fakeAuthProvider: { id: 'batch-race-test-id', token: 'token1' } };
+
+    const response = await request({
+      method: 'POST',
+      headers: {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+        'Content-Type': 'application/json',
+      },
+      url: 'http://localhost:8378/1/batch',
+      body: {
+        requests: Array.from({ length: 3 }, () => ({
+          method: 'POST',
+          path: '/1/users',
+          body: { authData },
+        })),
+      },
+    });
+
+    const results = response.data;
+    const successes = results.filter(r => r.success);
+    const failures = results.filter(r => r.error);
+
+    // All successes should reference the same user
+    const uniqueObjectIds = new Set(successes.map(r => r.success.objectId));
+    expect(uniqueObjectIds.size).toBe(1);
+
+    // Failures should be "this auth is already used" errors
+    for (const failure of failures) {
+      expect(failure.error.code).toBe(208);
+      expect(failure.error.error).toBe('this auth is already used');
+    }
+
+    // Verify only one user exists in the database with this authData
+    const query = new Parse.Query('_User');
+    query.equalTo('authData.fakeAuthProvider.id', 'batch-race-test-id');
+    const users = await query.find({ useMasterKey: true });
+    expect(users.length).toBe(1);
+  });
+
+  it('should allow sequential signups with different authData IDs', async () => {
+    const user1 = await Parse.User.logInWith('fakeAuthProvider', {
+      authData: { id: 'user-id-1', token: 'token1' },
+    });
+    const user2 = await Parse.User.logInWith('fakeAuthProvider', {
+      authData: { id: 'user-id-2', token: 'token2' },
+    });
+
+    expect(user1.id).toBeDefined();
+    expect(user2.id).toBeDefined();
+    expect(user1.id).not.toBe(user2.id);
+  });
+
+  it('should still allow login with authData after successful signup', async () => {
+    const authPayload = { authData: { id: 'login-test-id', token: 'token1' } };
+
+    // Signup
+    const user1 = await Parse.User.logInWith('fakeAuthProvider', authPayload);
+    expect(user1.id).toBeDefined();
+
+    // Login again with same authData — should return same user
+    const user2 = await Parse.User.logInWith('fakeAuthProvider', authPayload);
+    expect(user2.id).toBe(user1.id);
+  });
+
+  it('should skip startup index creation when createIndexAuthDataUniqueness is false', async () => {
+    const config = Config.get('test');
+    const adapter = config.database.adapter;
+    const spy = spyOn(adapter, 'ensureAuthDataUniqueness').and.callThrough();
+
+    // Temporarily set the option to false
+    const originalOptions = config.database.options.databaseOptions;
+    config.database.options.databaseOptions = { createIndexAuthDataUniqueness: false };
+
+    await config.database.performInitialization();
+    expect(spy).not.toHaveBeenCalled();
+
+    // Restore original options
+    config.database.options.databaseOptions = originalOptions;
+  });
+
+  it('should handle calling ensureAuthDataUniqueness multiple times (idempotent)', async () => {
+    const config = Config.get('test');
+    const adapter = config.database.adapter;
+
+    // Both calls should succeed (index creation is idempotent)
+    await adapter.ensureAuthDataUniqueness('fakeAuthProvider');
+    await adapter.ensureAuthDataUniqueness('fakeAuthProvider');
+  });
+
+  it('should log warning when index creation fails due to existing duplicates', async () => {
+    const config = Config.get('test');
+    const adapter = config.database.adapter;
+
+    // Spy on the adapter to simulate a duplicate value error
+    spyOn(adapter, 'ensureAuthDataUniqueness').and.callFake(() => {
+      return Promise.reject(
+        new Parse.Error(Parse.Error.DUPLICATE_VALUE, 'duplicates exist')
+      );
+    });
+
+    const logSpy = spyOn(require('../lib/logger').logger, 'warn');
+
+    // Re-run performInitialization — should warn but not throw
+    await config.database.performInitialization();
+    expect(logSpy).toHaveBeenCalledWith(
+      jasmine.stringContaining('Unable to ensure uniqueness for auth data provider'),
+      jasmine.anything()
+    );
+  });
+
+  it('should prevent concurrent signups with same anonymous authData', async () => {
+    const anonymousId = 'anon-race-test-id';
+    const authData = { anonymous: { id: anonymousId } };
+
+    const concurrentRequests = Array.from({ length: 5 }, () =>
+      request({
+        method: 'POST',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        url: 'http://localhost:8378/1/users',
+        body: { authData },
+      }).then(
+        response => ({ success: true, data: response.data }),
+        error => ({ success: false, error: error.data || error.message })
+      )
+    );
+
+    const results = await Promise.all(concurrentRequests);
+    const successes = results.filter(r => r.success);
+    const failures = results.filter(r => !r.success);
+
+    // All successes should reference the same user
+    const uniqueObjectIds = new Set(successes.map(r => r.data.objectId));
+    expect(uniqueObjectIds.size).toBe(1);
+
+    // Failures should be "this auth is already used" errors
+    for (const failure of failures) {
+      expect(failure.error.code).toBe(208);
+      expect(failure.error.error).toBe('this auth is already used');
+    }
+
+    // Verify only one user exists in the database with this authData
+    const query = new Parse.Query('_User');
+    query.equalTo('authData.anonymous.id', anonymousId);
+    const users = await query.find({ useMasterKey: true });
+    expect(users.length).toBe(1);
+  });
+});

spec/DatabaseController.spec.js

@@ -415,6 +415,11 @@ describe('DatabaseController', function () {
           email_1: { email: 1 },
           _email_verify_token: { _email_verify_token: 1 },
           _perishable_token: { _perishable_token: 1 },
+          _auth_data_custom_id: { '_auth_data_custom.id': 1 },
+          _auth_data_facebook_id: { '_auth_data_facebook.id': 1 },
+          _auth_data_myoauth_id: { '_auth_data_myoauth.id': 1 },
+          _auth_data_shortLivedAuth_id: { '_auth_data_shortLivedAuth.id': 1 },
+          _auth_data_anonymous_id: { '_auth_data_anonymous.id': 1 },
         });
       }
     );
@@ -441,6 +446,11 @@ describe('DatabaseController', function () {
           email_1: { email: 1 },
           _email_verify_token: { _email_verify_token: 1 },
           _perishable_token: { _perishable_token: 1 },
+          _auth_data_custom_id: { '_auth_data_custom.id': 1 },
+          _auth_data_facebook_id: { '_auth_data_facebook.id': 1 },
+          _auth_data_myoauth_id: { '_auth_data_myoauth.id': 1 },
+          _auth_data_shortLivedAuth_id: { '_auth_data_shortLivedAuth.id': 1 },
+          _auth_data_anonymous_id: { '_auth_data_anonymous.id': 1 },
         });
       }
     );

spec/ParseUser.spec.js

@@ -390,7 +390,7 @@ describe('Parse.User testing', () => {
     expect(newUser).not.toBeUndefined();
   });
 
-  it('should be let masterKey lock user out with authData', async () => {
+  it_only_db('mongo')('should reject duplicate authData when masterKey locks user out (mongo)', async () => {
     const response = await request({
       method: 'POST',
       url: 'http://localhost:8378/1/classes/_User',
@@ -406,15 +406,13 @@ describe('Parse.User testing', () => {
     });
     const body = response.data;
     const objectId = body.objectId;
-    const sessionToken = body.sessionToken;
-    expect(sessionToken).toBeDefined();
+    expect(body.sessionToken).toBeDefined();
     expect(objectId).toBeDefined();
     const user = new Parse.User();
     user.id = objectId;
     const ACL = new Parse.ACL();
     user.setACL(ACL);
     await user.save(null, { useMasterKey: true });
-    // update the user
     const options = {
       method: 'POST',
       url: `http://localhost:8378/1/classes/_User/`,
@@ -430,8 +428,61 @@ describe('Parse.User testing', () => {
         },
       },
     };
-    const res = await request(options);
-    expect(res.data.objectId).not.toEqual(objectId);
+    try {
+      await request(options);
+      fail('should have thrown');
+    } catch (err) {
+      expect(err.data.code).toBe(208);
+      expect(err.data.error).toBe('this auth is already used');
+    }
+  });
+
+  it_only_db('postgres')('should reject duplicate authData when masterKey locks user out (postgres)', async () => {
+    await reconfigureServer();
+    const response = await request({
+      method: 'POST',
+      url: 'http://localhost:8378/1/classes/_User',
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-REST-API-Key': 'rest',
+        'Content-Type': 'application/json',
+      },
+      body: {
+        key: 'value',
+        authData: { anonymous: { id: '00000000-0000-0000-0000-000000000001' } },
+      },
+    });
+    const body = response.data;
+    const objectId = body.objectId;
+    expect(body.sessionToken).toBeDefined();
+    expect(objectId).toBeDefined();
+    const user = new Parse.User();
+    user.id = objectId;
+    const ACL = new Parse.ACL();
+    user.setACL(ACL);
+    await user.save(null, { useMasterKey: true });
+    const options = {
+      method: 'POST',
+      url: `http://localhost:8378/1/classes/_User/`,
+      headers: {
+        'X-Parse-Application-Id': Parse.applicationId,
+        'X-Parse-REST-API-Key': 'rest',
+        'Content-Type': 'application/json',
+      },
+      body: {
+        key: 'otherValue',
+        authData: {
+          anonymous: { id: '00000000-0000-0000-0000-000000000001' },
+        },
+      },
+    };
+    try {
+      await request(options);
+      fail('should have thrown');
+    } catch (err) {
+      expect(err.data.code).toBe(208);
+      expect(err.data.error).toBe('this auth is already used');
+    }
   });
 
   it('user login with files', done => {

src/Adapters/Storage/Mongo/MongoStorageAdapter.js

@@ -582,6 +582,13 @@ export class MongoStorageAdapter implements StorageAdapter {
             if (matches && Array.isArray(matches)) {
               err.userInfo = { duplicated_field: matches[1] };
             }
+            // Check for authData unique index violations
+            if (!err.userInfo) {
+              const authDataMatch = error.message.match(/index:\s+(_auth_data_[a-zA-Z0-9_]+_id)/);
+              if (authDataMatch) {
+                err.userInfo = { duplicated_field: authDataMatch[1] };
+              }
+            }
           }
           throw err;
         }
@@ -658,10 +665,26 @@ export class MongoStorageAdapter implements StorageAdapter {
       .catch(error => {
         if (error.code === 11000) {
           logger.error('Duplicate key error:', error.message);
-          throw new Parse.Error(
+          const err = new Parse.Error(
             Parse.Error.DUPLICATE_VALUE,
             'A duplicate value for a field with unique values was provided'
           );
+          err.underlyingError = error;
+          if (error.message) {
+            const matches = error.message.match(
+              /index:[\sa-zA-Z0-9_\-\.]+\$?([a-zA-Z_-]+)_1/
+            );
+            if (matches && Array.isArray(matches)) {
+              err.userInfo = { duplicated_field: matches[1] };
+            }
+            if (!err.userInfo) {
+              const authDataMatch = error.message.match(/index:\s+(_auth_data_[a-zA-Z0-9_]+_id)/);
+              if (authDataMatch) {
+                err.userInfo = { duplicated_field: authDataMatch[1] };
+              }
+            }
+          }
+          throw err;
         }
         throw error;
       })
@@ -818,6 +841,32 @@ export class MongoStorageAdapter implements StorageAdapter {
       .catch(err => this.handleError(err));
   }
 
+  // Creates a unique sparse index on _auth_data_<provider>.id to prevent
+  // race conditions during concurrent signups with the same authData.
+  ensureAuthDataUniqueness(provider: string) {
+    return this._adaptiveCollection('_User')
+      .then(collection =>
+        collection._mongoCollection.createIndex(
+          { [`_auth_data_${provider}.id`]: 1 },
+          { unique: true, sparse: true, background: true, name: `_auth_data_${provider}_id` }
+        )
+      )
+      .catch(error => {
+        if (error.code === 11000) {
+          throw new Parse.Error(
+            Parse.Error.DUPLICATE_VALUE,
+            'Tried to ensure field uniqueness for a class that already has duplicates.'
+          );
+        }
+        // Ignore "index already exists with same name" or "index already exists with different options"
+        if (error.code === 85 || error.code === 86) {
+          return;
+        }
+        throw error;
+      })
+      .catch(err => this.handleError(err));
+  }
+
   // Used in tests
   _rawFind(className: string, query: QueryType) {
     return this._adaptiveCollection(className)