fix(auth): canonicalize invited signup email to invite (single-use under concurrent case-variants)

Author: PierreBrisorgueil

modules/auth/controllers/auth.controller.js

@@ -85,6 +85,11 @@ const signup = async (req, res) => {
     }
     // Force default role on public signup — clients must not self-assign admin
     const safeBody = { ...req.body, roles: ['user'] };
+    // Invite-gated signup: canonicalize the account email to the invite's pinned
+    // (lowercased) email. Enforces the pin exactly AND makes the case-sensitive
+    // unique-email index a reliable single-use backstop — concurrent case-variant
+    // signups on the same invite collide on the index instead of creating two accounts.
+    if (invite) safeBody.email = invite.email;
     const user = await UserService.create(safeBody);
 
     // Handle email verification — rollback user on failure to avoid orphaned accounts
@@ -455,6 +460,7 @@ const checkOAuthUserProfile = async (profil, key, provider) => {
     const error = model.checkError(result);
     if (error) throw new AppError('Schema validation error', { code: 'VALIDATION_ERROR', details: { message: error } });
     // else return req.body with the data after Zod validation
+    if (oauthInvite) result.value.email = oauthInvite.email;
     const createdUser = await UserService.create(result.value);
     if (oauthInvite) await InvitationService.consume(oauthInvite.id);
     return createdUser;

modules/auth/tests/auth.invitation.integration.tests.js

@@ -27,6 +27,7 @@ describe('Signup invitations:', () => {
       'inv-admin@test.com',
       'inv-user@test.com',
       'inv-admin2@test.com',
+      'canon@example.com',
     ]) {
       try {
         const existing = await UserService.getBrut({ email });
@@ -223,6 +224,20 @@ describe('Signup invitations:', () => {
       const recheck = await request(app).get(`/api/auth/invitations/verify/${token}`);
       expect(recheck.body.data.valid).toBe(true); // not consumed
     });
+
+    test('invited signup canonicalizes account email to the invite (case-insensitive pin → lowercased)', async () => {
+      config.sign.up = false; config.sign.cap = null;
+      const adminAgent = await createAdminAndSignin();
+      const created = await adminAgent.post('/api/auth/invitations').send({ email: 'canon@example.com' });
+      const { token } = created.body.data;
+      // sign up with an UPPER-CASE variant of the invited email
+      const res = await request(app)
+        .post(`/api/auth/signup?inviteToken=${token}`)
+        .send({ email: 'CANON@Example.com', password: 'Sup3rStr0ng!' });
+      expect(res.status).toBe(200);
+      // account email must be the invite's canonical lowercased value, not the submitted case-variant
+      expect(res.body.user.email).toBe('canon@example.com');
+    });
   });
 
   describe('OAuth signup gate (cap + email-matched invite)', () => {