fix(auth): check username and email duplicates independently with specific error messages

[ojaswa072]

Summary

Fixed a logic bug in the signup endpoint where email uniqueness was only checked if the username was not already taken.

Problem

The original code used a chained if not existing_user check, meaning:

• If username existed → correct error
• If username was free but email was taken → correct error
• If both existed → only username error shown, email never checked independently

This also returned a generic "User already exists" message with no indication of which field caused the conflict.

Fix

• Check username and email independently in separate queries
• Return specific error messages: "Username already taken" and "Email already registered"
• Ensures both fields are always validated regardless of each other

Files Changed

• src/handlers/auth.py — signup duplicate check logic

Summary by CodeRabbit

• Bug Fixes
  • Signup flow now returns distinct, clear error messages when a username or email is already in use.
  • Creation is more robust: duplicate-constraint errors for username or email are caught and surfaced as specific 400 responses, preventing ambiguous failures while preserving existing post-signup behavior.

[owasp-blt]

👋 Thanks for opening this pull request, @ojaswa072!

Before your PR is reviewed, please ensure:

• Your code follows the project's coding style and guidelines.
• You have written or updated tests for your changes.
• The commit messages are clear and descriptive.
• You have linked any relevant issues (e.g., Closes #123).

🔍 Our team will review your PR shortly. If you have questions, feel free to ask in the comments.

🚀 Keep up the great work! — OWASP BLT

[owasp-blt]

📊 Monthly Leaderboard

Hi @ojaswa072! Here's how you rank for March 2026:

Rank	User	Open PRs	PRs (merged)	PRs (closed)	Reviews	Comments	Total
🥇 #1	@Nachiket-Roy	8	44	13	5	4	455
🥈 #2	@ojaswa072 ✨	10	29	0	0	1	302
#3	@Kunal241207	4	24	0	1	3	255

---

Scoring this month (across OWASP-BLT org): Open PRs (+1 each), Merged PRs (+10), Closed (not merged) (−2), Reviews (+5; first two per PR in-month), Comments (+2, excludes CodeRabbit). Run /leaderboard on any issue or PR to see your rank!

[coderabbitai]

Warning

Rate limit exceeded

@ojaswa072 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 41 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: Repository: OWASP-BLT/coderabbit/.coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 28f2a3eb-689f-4815-9d0a-eb6b3557f90c

📥 Commits

Reviewing files that changed from the base of the PR and between 238ed5a and b873dbc.

📒 Files selected for processing (1)

• src/handlers/auth.py

Walkthrough

The handle_signup function in the auth handler was refactored to validate username and email existence separately, returning specific error messages for each case instead of a combined check.

Changes

Cohort / File(s)	Summary
User Validation Logic src/handlers/auth.py	Split combined username and email existence check into independent validations, each returning a specific error message ("Username already taken" vs. "Email already registered").

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

quality: medium

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately and concisely summarizes the main change: splitting the combined duplicate user check into independent username and email validations with specific error messages.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/handlers/auth.py (1)

8-8: Unused import shadows local variable.

The import from src.libs import db is not used anywhere in this file. Additionally, the local variable db assigned on line 89 shadows this imported module name, which could cause confusion.

🧹 Proposed fix

-from src.libs import db

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/handlers/auth.py` at line 8, The top-level import "from src.libs import
db" is unused and conflicts with the local variable named db (assigned at the db
variable declaration around line 89), so either remove that unused import or
rename one of them to avoid shadowing; the simplest fix is to delete the unused
module import "from src.libs import db" in src/handlers/auth.py, otherwise alias
the import (e.g., libs_db) or rename the local variable (e.g., local_db)
consistently wherever it’s referenced.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/handlers/auth.py`:
- Around line 94-100: The pre-checks (existing_username/existing_email) still
allow a TOCTOU race so wrap the User.create(...) call in a specific try/except
that detects unique-constraint violations from the DB driver and maps them to
the appropriate 400 responses (use error_response("Username already taken", 400)
or error_response("Email already registered", 400) depending on which constraint
failed); leave other exceptions to propagate to the existing outer handler.
Update the exception detection to inspect the DB error type/message returned by
your driver (SQLite/D1) and ensure the handler references User.create,
existing_username, existing_email, and error_response so the correct
client-facing 400 is returned on constraint violations.

---

Nitpick comments:
In `@src/handlers/auth.py`:
- Line 8: The top-level import "from src.libs import db" is unused and conflicts
with the local variable named db (assigned at the db variable declaration around
line 89), so either remove that unused import or rename one of them to avoid
shadowing; the simplest fix is to delete the unused module import "from src.libs
import db" in src/handlers/auth.py, otherwise alias the import (e.g., libs_db)
or rename the local variable (e.g., local_db) consistently wherever it’s
referenced.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: OWASP-BLT/coderabbit/.coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 0eaabcfb-6eaa-4810-80fb-cfcf6ee58519

📥 Commits

Reviewing files that changed from the base of the PR and between efc926c and 238ed5a.

📒 Files selected for processing (1)

• src/handlers/auth.py

[ojaswa072]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/handlers/auth.py`:
- Line 8: Remove the unused top-level import "from src.libs import db" in
src/handlers/auth.py because the file uses the local variable db returned by
get_db_safe(env) (see get_db_safe and the local variable db around where DB is
used), so delete that import line and run linters/tests to ensure nothing else
relied on the module-level name.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: OWASP-BLT/coderabbit/.coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 4943e7f9-a6e1-4e0c-860d-7d98b1eab6b9

📥 Commits

Reviewing files that changed from the base of the PR and between 238ed5a and f57b03b.

📒 Files selected for processing (1)

• src/handlers/auth.py