fix: [auth] Enforce unique email addresses on user registration

Add unique constraint to User.email field at model, form, and API levels
to prevent multiple accounts with the same email address.

- Add unique=True to User.email with migration
- Add clean_email() to SignUpForm with case-insensitive duplicate check
- Add clean_email() to UserUpdateForm (excludes current user)
- Change UserInputSerializer.email to EmailField with uniqueness validation
- Mark password field as write_only in UserInputSerializer

Fixes #45

Author: pparage

api/serializers.py

@@ -29,8 +29,8 @@ class Meta:
 
 class UserInputSerializer(serializers.ModelSerializer):
     username = serializers.CharField(max_length=200, required=True)
-    email = serializers.CharField(max_length=200, required=True)
-    password = serializers.CharField(max_length=200, required=True)
+    email = serializers.EmailField(max_length=254, required=True)
+    password = serializers.CharField(max_length=200, required=True, write_only=True)
     company_name = serializers.CharField(max_length=200, required=True)
     address = serializers.CharField(max_length=200, required=True)
     post_code = serializers.CharField(max_length=200, required=True)
@@ -50,6 +50,13 @@ class Meta:
             "vat_number",
         ]
 
+    def validate_email(self, value):
+        if User.objects.filter(email__iexact=value).exists():
+            raise serializers.ValidationError(
+                "A user with this email address already exists."
+            )
+        return value
+
 
 #
 # Model: TLS Scan History

authentication/forms.py

@@ -39,14 +39,24 @@ class Meta(UserCreationForm.Meta):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         for visible in self.visible_fields():
-            visible.field.widget.attrs["class"] = "form-control multi-purpose-gray-200_border"
+            visible.field.widget.attrs["class"] = (
+                "form-control multi-purpose-gray-200_border"
+            )
+
+    def clean_email(self):
+        email = self.cleaned_data.get("email")
+        if User.objects.filter(email__iexact=email).exists():
+            raise ValidationError("An account with this email address already exists.")
+        return email
 
 
 class LoginForm(AuthenticationForm):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         for visible in self.visible_fields():
-            visible.field.widget.attrs["class"] = "form-control multi-purpose-gray-200_border"
+            visible.field.widget.attrs["class"] = (
+                "form-control multi-purpose-gray-200_border"
+            )
 
 
 class UserUpdateForm(forms.ModelForm):
@@ -67,6 +77,16 @@ def __init__(self, *args, **kwargs):
         for visible in self.visible_fields():
             visible.field.widget.attrs["class"] = "form-control"
 
+    def clean_email(self):
+        email = self.cleaned_data.get("email")
+        if (
+            User.objects.filter(email__iexact=email)
+            .exclude(pk=self.instance.pk)
+            .exists()
+        ):
+            raise ValidationError("An account with this email address already exists.")
+        return email
+
 
 class ChangePasswordForm(PasswordChangeForm):
     def __init__(self, *args, **kwargs):

authentication/migrations/0006_enforce_unique_email.py

@@ -0,0 +1,20 @@
+# Generated by Django 5.2.11 on 2026-02-23 14:14
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentication", "0005_user_ldih_uuid"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="user",
+            name="email",
+            field=models.EmailField(
+                max_length=254, unique=True, verbose_name="email address"
+            ),
+        ),
+    ]

authentication/models.py

@@ -3,6 +3,7 @@
 
 
 class User(AbstractUser):
+    email = models.EmailField("email address", unique=True)
     company_name = models.CharField(max_length=200)
     address = models.CharField(max_length=200)
     post_code = models.CharField(max_length=200)