fix: Two accounts with the same email

[aliraza-abbasi]

Pre-Flight checklist

• Screenshots and design review for any changes that affect layout or styling
  • Desktop screenshots
  • Mobile width screenshots
• Migrations
  • Migration is backward-compatible with the current production code
• Testing
  • Code is tested
  • Changes have been manually tested
• Settings
  • New settings are documented and present in app.json
  • New settings have reasonable development defaults, if applicable

What are the relevant tickets?

#2633

What's this PR do?

Fixes the two account issue with one email #2633

How should this be manually tested?

1. Checkout to this branch and run xpro locally
2. Open Create Account on local xpro
3. Enter an email, with lowercase letters in the address
4. In another tab, open Create Account again and enter the same email, but all uppercase
5. You should get two verification emails, with different links.
6. Follow one of the links and complete the first screen of the account creation process
7. In a private window or another browser open the 2nd verification link and complete the first screen of the account creation process
8. You should see an error screen as the screenshot below on submit that a user already exists

Screenshots (if appropriate)

[arslanashraf7]

What would happen if we throw UnexpectedExistingUserException here instead of InvalidEmail exception, I feel like throwing InvalidEmail might be a little too general because the email is valid & passes the validation but the problem is that it already exists.

[aliraza-abbasi]

The InvalidEmail exception is being handled here.

mitxpro/authentication/serializers.py

Line 92 in 333ab77

except InvalidEmail:

It returns the existing-user state in the API on the other hand UnexpectedExistingUserException returns the error state in the API and there is no error message. Here are screenshots where I raised UnexpectedExistingUserException.
Backend:

Frontend:

[arslanashraf7]

I was looking around and checking what might be the right exception to throw here and it looks like there is AuthAlreadyAssociated exception from social-core which we should throw here and add a catch statement in the serializer along with InvalidEmail.

[arslanashraf7]

In the above check where we are checking if it exists, Are we always going to get the user object in this step of the pipeline?

[aliraza-abbasi]

I added this check in the previous PR where we allowed a user to save his information again on Step 1 of the Registration Form. But after this issue is raised, we are not allowing users to go back to step 1 and save the information again. As we talked about before starting work on this issue. So, I've removed this check, because now we don't need this check here.

[arslanashraf7]

If we have started to make the email lower in the pipeline step, Do we still need to again this lower function here ?

[arslanashraf7]

If we need it here, we should add test for this as well.

[aliraza-abbasi]

As mentioned in the above comment #2642 (comment). This is where the InvalidEmail exception is being handled. So adding .strip().lower() is required here to check if the user exists in the InvalidEmail Exception.

[aliraza-abbasi]

I've removed .strip().lower() from here and fixed the query to check the user with case insensitive email

[arslanashraf7]

Do we need to lower the email here too?

[aliraza-abbasi]

I added this check here if a user updates his/her email. It'll always be saved in lowercase. At the time of registration and on updating his/her account info

[aliraza-abbasi]

I've removed this .strip().lower() check from the pipeline so now it is definitely required here

[arslanashraf7]

I was able to test the PR and it seems to be working except one case that might confuse the user and we should try to fix that if possible. I also added a comment regarding throwing the right exception.

So there is a scenario when we get a duplicate username collision, I'm adding the logs for that below.

To get into this scenario:

1. Create a user with a an email address complete registration
2. Create another user with appended +1 in the email, and see the logs. The usernamify function generates the same username for this user as well and gets an error from DB.
3. On Master, The register form stays there and the Continue button is enabled again, When we click this it reattempts the user namify and this time create the right user. (If it's not reproduced with this step, try a manual intervention to create the username collision from usernamify function)
4. In case of this PR, When username collision happens, and user clicks the Continue button again it is redirected to the login page saying User already exists which can confuse the user. Maybe we should try to handle this case.

The error log:

db_1      | 2023-05-15 09:54:50.317 UTC [1120] ERROR:  duplicate key value violates unique constraint "users_user_username_key"
db_1      | 2023-05-15 09:54:50.317 UTC [1120] DETAIL:  Key (username)=(arslan-ashraf) already exists.
db_1      | 2023-05-15 09:54:50.317 UTC [1120] STATEMENT:  INSERT INTO "users_user" ("password", "last_login", "is_superuser", "created_on", "updated_on", "username", "email", "name", "is_staff", "is_active") VALUES ('<>, NULL, false, '2023-05-15T09:54:50.312660+00:00'::timestamptz, '2023-05-15T09:54:50.312681+00:00'::timestamptz, 'arslan-ashraf', 'arslan.ashraf+20@arbisoft.com', 'Arslan Ashraf20', false, false) RETURNING "users_user"."id"

[arslanashraf7]

I was looking around and checking what might be the right exception to throw here and it looks like there is AuthAlreadyAssociated exception from social-core which we should throw here and add a catch statement in the serializer along with InvalidEmail.

[aliraza-abbasi]

I was able to test the PR and it seems to be working except one case that might confuse the user and we should try to fix that if possible. I also added a comment regarding throwing the right exception.

So there is a scenario when we get a duplicate username collision, I'm adding the logs for that below.

To get into this scenario:

1. Create a user with a an email address complete registration

2. Create another user with appended `+1` in the email, and see the logs. The usernamify function generates the same username for this user as well and gets an error from DB.

3. On Master, The register form stays there and the `Continue` button is enabled again, When we click this it reattempts the user namify and this time create the right user. (If it's not reproduced with this step, try a manual intervention to create the username collision from usernamify function)

4. In case of this PR, When username collision happens, and user clicks the `Continue` button again it is redirected to the login page saying `User already exists` which can confuse the user. Maybe we should try to handle this case.

The error log:

db_1      | 2023-05-15 09:54:50.317 UTC [1120] ERROR:  duplicate key value violates unique constraint "users_user_username_key"
db_1      | 2023-05-15 09:54:50.317 UTC [1120] DETAIL:  Key (username)=(arslan-ashraf) already exists.
db_1      | 2023-05-15 09:54:50.317 UTC [1120] STATEMENT:  INSERT INTO "users_user" ("password", "last_login", "is_superuser", "created_on", "updated_on", "username", "email", "name", "is_staff", "is_active") VALUES ('<>, NULL, false, '2023-05-15T09:54:50.312660+00:00'::timestamptz, '2023-05-15T09:54:50.312681+00:00'::timestamptz, 'arslan-ashraf', 'arslan.ashraf+20@arbisoft.com', 'Arslan Ashraf20', false, false) RETURNING "users_user"."id"

I have followed the steps provided, and I did not encounter the mentioned issue. Based on my understanding, this issue should not occur as a result of this PR. The PR specifically checks for existing users based on their email addresses, not their usernames.

[arslanashraf7]

I was able to test the PR and it seems to be working except one case that might confuse the user and we should try to fix that if possible. I also added a comment regarding throwing the right exception.
So there is a scenario when we get a duplicate username collision, I'm adding the logs for that below.
To get into this scenario:

1. Create a user with a an email address complete registration

2. Create another user with appended `+1` in the email, and see the logs. The usernamify function generates the same username for this user as well and gets an error from DB.

3. On Master, The register form stays there and the `Continue` button is enabled again, When we click this it reattempts the user namify and this time create the right user. (If it's not reproduced with this step, try a manual intervention to create the username collision from usernamify function)

4. In case of this PR, When username collision happens, and user clicks the `Continue` button again it is redirected to the login page saying `User already exists` which can confuse the user. Maybe we should try to handle this case.

The error log:

db_1      | 2023-05-15 09:54:50.317 UTC [1120] ERROR:  duplicate key value violates unique constraint "users_user_username_key"
db_1      | 2023-05-15 09:54:50.317 UTC [1120] DETAIL:  Key (username)=(arslan-ashraf) already exists.
db_1      | 2023-05-15 09:54:50.317 UTC [1120] STATEMENT:  INSERT INTO "users_user" ("password", "last_login", "is_superuser", "created_on", "updated_on", "username", "email", "name", "is_staff", "is_active") VALUES ('<>, NULL, false, '2023-05-15T09:54:50.312660+00:00'::timestamptz, '2023-05-15T09:54:50.312681+00:00'::timestamptz, 'arslan-ashraf', 'arslan.ashraf+20@arbisoft.com', 'Arslan Ashraf20', false, false) RETURNING "users_user"."id"

I have followed the steps provided, and I did not encounter the mentioned issue. Based on my understanding, this issue should not occur as a result of this PR. The PR specifically checks for existing users based on their email addresses, not their usernames.

@aliraza-abbasi Sorry if I was unclear in my comment, I didn't mean that issue is being raised because of this PR, I'm saying that the behavior is changed in this PR when that issue raises:

1. In case of duplicate username collision, the previous implementations were used to handle it in a good manner. E.g. when a user submits the first page of the registration form and it the username collision happens, the user stays on the same page and when he clicks Continue again the user is created with an alternate username. So, the registration page 1/2 flow remains the same for the user.

2. On the other hand, While on this PR, The behavior is that when the user clicks on the Continue the first time but when he clicks the button again, We present them with a message that the user already exists message that can confuse the user.

[aliraza-abbasi]

@aliraza-abbasi Sorry if I was unclear in my comment, I didn't mean that issue is being raised because of this PR, I'm saying that the behavior is changed in this PR when that issue raises:

1. In case of duplicate username collision, the previous implementations were used to handle it in a good manner. E.g. when a user submits the first page of the registration form and it the username collision happens, the user stays on the same page and when he clicks Continue again the user is created with an alternate username. So, the registration page 1/2 flow remains the same for the user.

2. On the other hand, While on this PR, The behavior is that when the user clicks on the `Continue` the first time but when he clicks the button again, We present them with a message that the user already exists message that can confuse the user.

@arslanashraf7 My apologies for the confusion in my previous response. Clicking the "Continue" button again is equivalent to returning from Step 2 to Step 1. In this particular scenario I've done some testing and found a very sewer issue before making this PR, let's discuss it over a call tomorrow.

[arslanashraf7]

Looks good 👍 Just a couple of minor changes, Feel free to rebase/merge after that.