Description
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
If I POST to the /manage/info Identity API endpoint with a new email, but another user already exists with that email/username, the call succeeds (with no changes to the user's account yet); when the user clicks the link in the confirmation email (resulting in a call to the /confirmEmail endpoint), it results in an error, but the user's email has in fact been changed (but not the username). This contradicts the policy of the email and username always being the same, and the user now has an email that is the same as another user's email/username.
Expected Behavior
I would expect an error to occur if a POST to /manage/info includes a request to change the email to one used by another user.
However, it's possible that after the change request is made (POST to /manage/info) but before the user clicks the link in the confirmation email (/confirmEmail), a new account could have been created with the same email/username requested in the change. In this case an error should occur and the account should be left unchanged.
Steps To Reproduce
- Create two accounts (say A and B) using the /register endpoint.
- Call the /login endpoint to get an access token for account A.
- POST to the /manage/info endpoint (using the access token) with newEmail set to account B's email/username. This call will succeed.
- Click the link in the confirmation email. It will fail with a 401 error, but A's email will now be the same as B's email/username.
Exceptions (if any)
No response
.NET Version
8.0.100
Anything else?
ASP.NET Core version: 8.0.0