Handle the case where there are multiple users with the same username, but with a different casing.

sandhose · sandhose · commit 58551c9a6211 · 2025-04-11T15:38:28.000+02:00
diff --git a/crates/storage-pg/src/user/mod.rs b/crates/storage-pg/src/user/mod.rs
@@ -165,6 +165,9 @@ impl UserRepository for PgUserRepository<'_> {
         err,
     )]
     async fn find_by_username(&mut self, username: &str) -> Result<Option<User>, Self::Error> {
+        // We may have multiple users with the same username, but with a different
+        // casing. In this case, we want to return the one which matches the exact
+        // casing
         let res = sqlx::query_as!(
             UserLookup,
             r#"
@@ -180,12 +183,25 @@ impl UserRepository for PgUserRepository<'_> {
             username,
         )
         .traced()
-        .fetch_optional(&mut *self.conn)
+        .fetch_all(&mut *self.conn)
         .await?;
 
-        let Some(res) = res else { return Ok(None) };
-
-        Ok(Some(res.into()))
+        match &res[..] {
+            // Happy path: there is only one user matching the username…
+            [user] => Ok(Some(user.clone().into())),
+            // …or none.
+            [] => Ok(None),
+            list => {
+                // If there are multiple users with the same username, we want to
+                // return the one which matches the exact casing
+                if let Some(user) = list.iter().find(|user| user.username == username) {
+                    Ok(Some(user.clone().into()))
+                } else {
+                    // If none match exactly, we prefer to return nothing
+                    Ok(None)
+                }
+            }
+        }
     }
 
     #[tracing::instrument(
diff --git a/crates/storage-pg/src/user/tests.rs b/crates/storage-pg/src/user/tests.rs
@@ -216,6 +216,50 @@ async fn test_user_repo(pool: PgPool) {
     repo.save().await.unwrap();
 }
 
+/// Test [`UserRepository::find_by_username`] with different casings.
+#[sqlx::test(migrator = "crate::MIGRATOR")]
+async fn test_user_repo_find_by_username(pool: PgPool) {
+    let mut repo = PgRepository::from_pool(&pool).await.unwrap().boxed();
+    let mut rng = ChaChaRng::seed_from_u64(42);
+    let clock = MockClock::default();
+
+    let alice = repo
+        .user()
+        .add(&mut rng, &clock, "Alice".to_owned())
+        .await
+        .unwrap();
+    let bob1 = repo
+        .user()
+        .add(&mut rng, &clock, "Bob".to_owned())
+        .await
+        .unwrap();
+    let bob2 = repo
+        .user()
+        .add(&mut rng, &clock, "BOB".to_owned())
+        .await
+        .unwrap();
+
+    // This is fine, we can do a case-insensitive search
+    assert_eq!(
+        repo.user().find_by_username("alice").await.unwrap(),
+        Some(alice)
+    );
+
+    // In case there are multiple users with the same username, we should return the
+    // one that matches the exact casing
+    assert_eq!(
+        repo.user().find_by_username("Bob").await.unwrap(),
+        Some(bob1)
+    );
+    assert_eq!(
+        repo.user().find_by_username("BOB").await.unwrap(),
+        Some(bob2)
+    );
+
+    // If none match, we should return None
+    assert!(repo.user().find_by_username("bob").await.unwrap().is_none());
+}
+
 /// Test the user email repository, by trying out most of its methods
 #[sqlx::test(migrator = "crate::MIGRATOR")]
 async fn test_user_email_repo(pool: PgPool) {
