Skip to content

Same Username Allowed with Different Email #274

New issue
New issue
Open
#275
Open
Same Username Allowed with Different Email#274
#275
@unijaychie

Description

@unijaychie
unijaychie
opened on Sep 4, 2025

Severity: High (Security Risk)
Allows users to impersonate others by adopting their usernames, leading to confusion and potential phishing.

Describe the bug
When a user attempts to change their username to one that is already in use by another account (with a different email address), the app does not validate username uniqueness and allows the change without displaying an error. This violates data integrity and user experience principles.

To Reproduce
Steps to reproduce the behavior:

  1. Navigate to https://app.aixblock.io/user/account.
  2. Log in with an account that has a unique username (e.g., UNI).
  3. Attempt to change the username to one that is already in use by another account (e.g., UNI).
  4. Click Save or Update.
  5. Observe that the app does not display an error and allows the username change to proceed.

Expected behavior
The app should validate that the username is unique across all accounts and display an error (e.g., "Username already taken").

Screenshots

Image Image

Desktop (please complete the following information):
OS: Windows 11
Browser Chrome
Version v139.0.7258.139

Additional context
Users may unknowingly adopt a username already in use, leading to confusion or conflicts.

Suggested Fix
Frontend Fix:

Add a username uniqueness check before allowing the update.
Example (JavaScript):

javascript

const validateUsernameUniqueness = async (newUsername) => {
  const response = await fetch('/api/check-username', {
    method: 'POST',
    body: JSON.stringify({ username: newUsername }),
  });
  const data = await response.json();
  if (!data.isAvailable) {
    alert("Username already taken. Please choose a different one.");
    return false;
  }
  return true;
};

// Example usage
if (await validateUsernameUniqueness(newUsername)) {
  updateUsername(newUsername);
}

Backend Fix (Critical):

Ensure the /api/update-username endpoint checks for username uniqueness in the database.
Example (Node.js/Express):

javascript

app.post('/api/update-username', async (req, res) => {
  const { username } = req.body;
  const existingUser = await User.findOne({ username });
  if (existingUser) {
    return res.status(400).send("Username already taken");
  }
  // Proceed with update
  res.status(200).send("Username updated");
});

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions