fix: Username check for sign-up with invitation in org context (#10375)

Author: leog

apps/web/pages/api/auth/signup.ts

@@ -42,37 +42,6 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
     return;
   }
 
-  // There is an existingUser if the username matches
-  // OR if the email matches AND either the email is verified
-  // or both username and password are set
-  const existingUser = await prisma.user.findFirst({
-    where: {
-      OR: [
-        { username },
-        {
-          AND: [
-            { email: userEmail },
-            {
-              OR: [
-                { emailVerified: { not: null } },
-                {
-                  AND: [{ password: { not: null } }, { username: { not: null } }],
-                },
-              ],
-            },
-          ],
-        },
-      ],
-    },
-  });
-
-  if (existingUser) {
-    const message: string =
-      existingUser.email !== userEmail ? "Username already taken" : "Email address is already registered";
-
-    return res.status(409).json({ message });
-  }
-
   let foundToken: { id: number; teamId: number | null; expires: Date } | null = null;
   if (token) {
     foundToken = await prisma.verificationToken.findFirst({
@@ -100,6 +69,36 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
         return res.status(409).json({ message: "Username already taken" });
       }
     }
+  } else {
+    // There is an existingUser if the username matches
+    // OR if the email matches AND either the email is verified
+    // or both username and password are set
+    const existingUser = await prisma.user.findFirst({
+      where: {
+        OR: [
+          { username },
+          {
+            AND: [
+              { email: userEmail },
+              {
+                OR: [
+                  { emailVerified: { not: null } },
+                  {
+                    AND: [{ password: { not: null } }, { username: { not: null } }],
+                  },
+                ],
+              },
+            ],
+          },
+        ],
+      },
+    });
+    if (existingUser) {
+      const message: string =
+        existingUser.email !== userEmail ? "Username already taken" : "Email address is already registered";
+
+      return res.status(409).json({ message });
+    }
   }
 
   const hashedPassword = await hashPassword(password);

packages/lib/validateUsernameInOrg.ts

@@ -21,6 +21,17 @@ export const validateUsernameInOrg = async (usernameSlug: string, teamId: number
       },
     });
 
+    const usersFound = await prisma.user.findMany({
+      where: {
+        organizationId: teamId,
+      },
+      select: {
+        username: true,
+      },
+    });
+
+    takenSlugs = usersFound.map((user) => user.username);
+
     // If only one team is found and it has a parent, then it's an child team
     // and we can use the parent id to find all the teams that belong to this org
     if (teamsFound && teamsFound.length === 1 && teamsFound[0].parentId) {
@@ -34,9 +45,9 @@ export const validateUsernameInOrg = async (usernameSlug: string, teamId: number
           slug: true,
         },
       });
-      takenSlugs = childTeams.map((team) => team.slug);
+      takenSlugs = takenSlugs.concat(childTeams.map((team) => team.slug));
     } else {
-      takenSlugs = teamsFound.map((team) => team.slug);
+      takenSlugs = takenSlugs.concat(teamsFound.map((team) => team.slug));
     }
 
     return !takenSlugs.includes(slugify(usernameSlug));