fix: handle existing users on invite token flow (#26217)

* fix(auth): validate user before signup with invite token

Validate if user already exists before creating account when
signing up with team or organization invite tokens. Existing users
are redirected to login to accept the invitation.

- Add user existence check in signup handlers
- Return 409 for existing users with redirect to login
- Extract signup fetch logic to dedicated module
- Add e2e test coverage

* fix(auth): address code review feedback

- Fix fetchSignup tests to use vi.spyOn for proper mock restoration
- Add content-type validation before parsing JSON response
- Guard against undefined error in Stripe callback
- Use t() for localized error message
- Fix race condition in handlers by catching P2002 on create

* fix(auth): address additional code review feedback

- Add INVALID_SERVER_RESPONSE constant to follow established pattern
- Check error.meta.target includes email before returning USER_ALREADY_EXISTS
to avoid false positives from other unique constraint violations
- Add select: { id: true } to user.create calls since downstream functions only
need the user id

* test: add unit tests for P2002 handling in signup handlers

- Add shared test suite covering all P2002 edge cases
- Ensure 409 only for email constraint violations
- Fix non-token paths to use atomic create + catch pattern

* fix: update error message copy per review feedback

* fix(auth): address code review feedback and prevent orphan Stripe customers

- Add user existence check before Stripe customer creation (token flow)
- Add select clause to user.create for consistency
- Fix showToast argument order (pre-existing bug)
- Use toHaveURL instead of waitForURL in E2E tests

* fix(auth): resolve 500 errors by fixing Prisma error detection across module boundaries

The instanceof check for PrismaClientKnownRequestError fails when different
Prisma client instances are loaded. Added fallback check by constructor name

* fix(auth): validate invitedTo before upsert on team invite signup

* test(auth): update P2002 tests for new invite flow

P2002 tests now use non-token flow since token flow uses upsert
Added tests for invitedTo validation on invite signup

* fix(auth): add guards and P2002 handling per review feedback

- Guard existingUser check with if (foundToken?.teamId)
- Guard username check with if (username) for premium flow
- Add `select` clause to findFirst/findUnique queries
- Add try-catch on upsert for race condition P2002 errors

* fix(auth): narrow P2002 handling to email/username targets

Author: pedroccastro

apps/web/modules/signup-view.tsx

@@ -16,6 +16,7 @@ import { z } from "zod";
 
 import getStripe from "@calcom/app-store/stripepayment/lib/client";
 import { getPremiumPlanPriceValue } from "@calcom/app-store/stripepayment/lib/utils";
+import { fetchSignup, isUserAlreadyExistsError, hasCheckoutSession } from "@calcom/features/auth/signup/lib/fetchSignup";
 import { getOrgUsernameFromEmail } from "@calcom/features/auth/signup/utils/getOrgUsernameFromEmail";
 import { getOrgFullOrigin } from "@calcom/features/ee/organizations/lib/orgDomains";
 import ServerTrans from "@calcom/lib/components/ServerTrans";
@@ -222,23 +223,6 @@ export default function Signup({
   const loadingSubmitState = isSubmitSuccessful || isSubmitting;
   const displayBackButton = token ? false : displayEmailForm;
 
-  const handleErrorsAndStripe = async (resp: Response) => {
-    if (!resp.ok) {
-      const err = await resp.json();
-      if (err.checkoutSessionId) {
-        const stripe = await getStripe();
-        if (stripe) {
-          const { error } = await stripe.redirectToCheckout({
-            sessionId: err.checkoutSessionId,
-          });
-          console.warn(error.message);
-        }
-      } else {
-        throw new Error(err.message);
-      }
-    }
-  };
-
   const isPlatformUser = redirectUrl?.includes("platform") && redirectUrl?.includes("new");
 
   const signUp: SubmitHandler<FormValues> = async (_data) => {
@@ -252,77 +236,90 @@ export default function Signup({
       username_taken: usernameTaken,
     });
 
-    await fetch("/api/auth/signup", {
-      body: JSON.stringify({
-        ...data,
-        language: i18n.language,
-        token,
-      }),
-      headers: {
-        "Content-Type": "application/json",
-        "cf-access-token": cfToken ?? "invalid-token",
-      },
-      method: "POST",
-    })
-      .then(handleErrorsAndStripe)
-      .then(async () => {
-        if (process.env.NEXT_PUBLIC_GTM_ID)
-          pushGTMEvent("create_account", { email: data.email, user: data.username, lang: data.language });
-
-        // telemetry.event(telemetryEventTypes.signup, collectPageParameters());
-
-        const gettingStartedPath = onboardingV3Enabled ? "onboarding/getting-started" : "getting-started";
-        const verifyOrGettingStarted = emailVerificationEnabled ? "auth/verify-email" : gettingStartedPath;
-        const gettingStartedWithPlatform = "settings/platform/new";
-
-        const constructCallBackIfUrlPresent = () => {
-          if (isOrgInviteByLink) {
-            return `${WEBAPP_URL}/${searchParams.get("callbackUrl")}`;
-          }
-
-          return addOrUpdateQueryParam(`${WEBAPP_URL}/${searchParams.get("callbackUrl")}`, "from", "signup");
-        };
+    try {
+      const result = await fetchSignup(
+        {
+          ...data,
+          language: i18n.language,
+          token,
+        },
+        cfToken
+      );
+
+      if (!result.ok) {
+        if (isUserAlreadyExistsError(result)) {
+          showToast(t("account_already_exists_please_login"), "warning");
+          const callbackUrl = token ? `/teams?token=${token}` : "/event-types";
+          setTimeout(() => {
+            router.push(`/auth/login?callbackUrl=${encodeURIComponent(callbackUrl)}`);
+          }, 3000);
+          return;
+        }
 
-        const constructCallBackIfUrlNotPresent = () => {
-          if (isPlatformUser) {
-            return `${WEBAPP_URL}/${gettingStartedWithPlatform}?from=signup`;
+        if (hasCheckoutSession(result)) {
+          const stripe = await getStripe();
+          if (stripe) {
+            const { error } = await stripe.redirectToCheckout({
+              sessionId: result.error.checkoutSessionId,
+            });
+            if (error) console.warn(error.message);
           }
+          return;
+        }
 
-          return `${WEBAPP_URL}/${verifyOrGettingStarted}?from=signup`;
-        };
+        throw new Error(result.error.message);
+      }
 
-        const constructCallBackUrl = () => {
-          const callbackUrlSearchParams = searchParams?.get("callbackUrl");
+      if (process.env.NEXT_PUBLIC_GTM_ID) {
+        pushGTMEvent("create_account", { email: data.email, user: data.username, lang: data.language });
+      }
 
-          return callbackUrlSearchParams
-            ? constructCallBackIfUrlPresent()
-            : constructCallBackIfUrlNotPresent();
-        };
+      const gettingStartedPath = onboardingV3Enabled ? "onboarding/getting-started" : "getting-started";
+      const verifyOrGettingStarted = emailVerificationEnabled ? "auth/verify-email" : gettingStartedPath;
+      const gettingStartedWithPlatform = "settings/platform/new";
 
-        const callBackUrl = constructCallBackUrl();
+      const constructCallBackIfUrlPresent = () => {
+        if (isOrgInviteByLink) {
+          return `${WEBAPP_URL}/${searchParams.get("callbackUrl")}`;
+        }
+        return addOrUpdateQueryParam(`${WEBAPP_URL}/${searchParams.get("callbackUrl")}`, "from", "signup");
+      };
 
-        await signIn<"credentials">("credentials", {
-          ...data,
-          callbackUrl: callBackUrl,
-        });
-      })
-      .catch((err) => {
-        setTurnstileKey((k) => k + 1);
-        formMethods.setValue("cfToken", undefined);
-
-        if (err.message === INVALID_CLOUDFLARE_TOKEN_ERROR) {
-          return;
+      const constructCallBackIfUrlNotPresent = () => {
+        if (isPlatformUser) {
+          return `${WEBAPP_URL}/${gettingStartedWithPlatform}?from=signup`;
         }
+        return `${WEBAPP_URL}/${verifyOrGettingStarted}?from=signup`;
+      };
 
-        posthog.capture("signup_form_submit_error", {
-          has_token: !!token,
-          is_org_invite: isOrgInviteByLink,
-          org_slug: orgSlug,
-          is_premium_username: premiumUsername,
-          error_message: err.message,
-        });
-        formMethods.setError("apiError", { message: err.message });
+      const constructCallBackUrl = () => {
+        const callbackUrlSearchParams = searchParams?.get("callbackUrl");
+        return callbackUrlSearchParams ? constructCallBackIfUrlPresent() : constructCallBackIfUrlNotPresent();
+      };
+
+      await signIn<"credentials">("credentials", {
+        ...data,
+        callbackUrl: constructCallBackUrl(),
       });
+    } catch (err) {
+      setTurnstileKey((k) => k + 1);
+      formMethods.setValue("cfToken", undefined);
+
+      const errorMessage = err instanceof Error ? err.message : t("unexpected_error_try_again");
+
+      if (errorMessage === INVALID_CLOUDFLARE_TOKEN_ERROR) {
+        return;
+      }
+
+      posthog.capture("signup_form_submit_error", {
+        has_token: !!token,
+        is_org_invite: isOrgInviteByLink,
+        org_slug: orgSlug,
+        is_premium_username: premiumUsername,
+        error_message: errorMessage,
+      });
+      formMethods.setError("apiError", { message: errorMessage });
+    }
   };
 
   return (
@@ -563,7 +560,7 @@ export default function Signup({
                         const username = formMethods.getValues("username");
                         if (!username) {
                           // should not be reached but needed to bypass type errors
-                          showToast("error", t("username_required"));
+                          showToast(t("username_required"), "error");
                           return;
                         }
 

apps/web/playwright/signup.e2e.ts

@@ -1,5 +1,6 @@
 import type { Page } from "@playwright/test";
 import { expect } from "@playwright/test";
+import { hashSync } from "bcryptjs";
 import { randomBytes } from "node:crypto";
 
 import { APP_NAME, IS_PREMIUM_USERNAME_ENABLED, IS_MAILHOG_ENABLED } from "@calcom/lib/constants";
@@ -115,6 +116,86 @@ test.describe("Email Signup Flow Test", async () => {
       expect(alertMessageInner).toContain(alertMessageInner);
     });
   });
+
+  test("Signup with org invite token for existing user redirects to login without overwriting password", async ({
+    page,
+    prisma,
+  }) => {
+    const originalPassword = "OriginalPass99!";
+    const attackerPassword = "AttackerPass99!";
+    const testEmail = `existing-user-${Date.now()}@example.com`;
+
+    // Create existing user without emailVerified to bypass server-side check
+    const hashedPassword = hashSync(originalPassword, 12);
+    const existingUser = await prisma.user.create({
+      data: {
+        email: testEmail,
+        username: `existing-user-${Date.now()}`,
+        password: { create: { hash: hashedPassword } },
+        emailVerified: null,
+      },
+    });
+
+    // Create org invite token for the existing user's email
+    const token = randomBytes(32).toString("hex");
+    const org = await prisma.team.create({
+      data: {
+        name: "Test Org",
+        slug: `test-org-${Date.now()}`,
+        isOrganization: true,
+      },
+    });
+
+    await prisma.verificationToken.create({
+      data: {
+        identifier: existingUser.email,
+        token,
+        expires: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
+        teamId: org.id,
+      },
+    });
+
+    // Clear any existing session before attempting signup
+    await page.context().clearCookies();
+
+    // Try to signup with the invite token using a different password
+    await page.goto(`/signup?token=${token}`);
+    await expect(page.getByTestId("signup-submit-button")).toBeVisible();
+
+    await page.locator('input[name="password"]').fill(attackerPassword);
+
+    // Intercept the signup API request to verify 409 response
+    const responsePromise = page.waitForResponse(
+      (response) => response.url().includes("/api/auth/signup") && response.request().method() === "POST"
+    );
+
+    const submitButton = page.getByTestId("signup-submit-button");
+    await submitButton.click();
+
+    // Verify API returns 409 (user already exists)
+    const response = await responsePromise;
+    expect(response.status()).toBe(409);
+
+    const responseBody = await response.json();
+    expect(responseBody.message).toBe("user_already_exists");
+
+    // Should redirect to login (toast shows and redirects after 3s)
+    await expect(page).toHaveURL(/\/auth\/login/, { timeout: 8000 });
+
+    // Verify original password still works by logging in
+    await page.locator('input[name="email"]').fill(existingUser.email);
+    await page.locator('input[name="password"]').fill(originalPassword);
+    await page.locator('button[type="submit"]').click();
+
+    // Should successfully login with original password
+    await expect(page).toHaveURL(/\/(getting-started|event-types|teams)/, { timeout: 8000 });
+
+    // Cleanup
+    await prisma.verificationToken.deleteMany({ where: { token } });
+    await prisma.user.delete({ where: { id: existingUser.id } });
+    await prisma.team.delete({ where: { id: org.id } });
+  });
+
   test("Premium Username Flow - creates stripe checkout", async ({ page, users, prisma }) => {
     // eslint-disable-next-line playwright/no-skipped-test
     test.skip(!IS_PREMIUM_USERNAME_ENABLED, "Only run on Cal.com");
@@ -182,7 +263,7 @@ test.describe("Email Signup Flow Test", async () => {
     // Verify that the username is the same as the one provided and isn't accidentally changed to email derived username - That happens only for organization member signup
     expect(dbUser?.username).toBe(userToCreate.username);
   });
-  test("Signup fields prefilled with query params", async ({ page, users }) => {
+  test("Signup fields prefilled with query params", async ({ page, users: _users }) => {
     const signupUrlWithParams = "/signup?username=rick-jones&email=rick-jones%40example.com";
     await page.goto(signupUrlWithParams);
     await preventFlakyTest(page);
@@ -354,7 +435,7 @@ test.describe("Email Signup Flow Test", async () => {
     });
   });
 
-  test("Checkbox for cookie consent does not need to be checked", async ({ page, users }) => {
+  test("Checkbox for cookie consent does not need to be checked", async ({ page, users: _users }) => {
     await page.goto("/signup");
     await preventFlakyTest(page);
 

apps/web/public/static/locales/en/common.json

@@ -4185,5 +4185,6 @@
   "audit_logs_owner_not_in_organization": "The booking owner is not a member of your organization.",
   "audit_logs_permission_denied": "You do not have permission to view audit logs for this booking.",
   "audit_logs_permission_check_error": "An error occurred while checking permissions.",
+  "account_already_exists_please_login": "An account with this email already exists. Please log in to accept the invitation.",
   "ADD_NEW_STRINGS_ABOVE_THIS_LINE_TO_PREVENT_MERGE_CONFLICTS": "↑↑↑↑↑↑↑↑↑↑↑↑↑ Add your new strings above here ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑"
 }

packages/features/auth/signup/constants.ts

@@ -0,0 +1,6 @@
+export const SIGNUP_ERROR_CODES = {
+  USER_ALREADY_EXISTS: "user_already_exists",
+  INVALID_SERVER_RESPONSE: "invalid_server_response",
+} as const;
+
+export type SignupErrorCode = (typeof SIGNUP_ERROR_CODES)[keyof typeof SIGNUP_ERROR_CODES];