scanopy
diff --git a/‎backend/src/server/auth/handlers.rs‎
Lines changed: 82 additions & 14 deletions b/‎backend/src/server/auth/handlers.rs‎
Lines changed: 82 additions & 14 deletions
diff --git a/‎backend/src/server/auth/impl/api.rs‎
Lines changed: 7 additions & 0 deletions b/‎backend/src/server/auth/impl/api.rs‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎backend/src/server/auth/middleware/rate_limit.rs‎
Lines changed: 6 additions & 6 deletions b/‎backend/src/server/auth/middleware/rate_limit.rs‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎backend/src/server/auth/oidc.rs‎
Lines changed: 93 additions & 9 deletions b/‎backend/src/server/auth/oidc.rs‎
Lines changed: 93 additions & 9 deletions
diff --git a/‎backend/tests/integration/infra.rs‎
Lines changed: 1 addition & 1 deletion b/‎backend/tests/integration/infra.rs‎
Lines changed: 1 addition & 1 deletion
@@ -2,10 +2,11 @@ use crate::server::{
     auth::{
         r#impl::{
             api::{
-                ForgotPasswordRequest, LoginRequest, OidcAuthorizeParams, OidcCallbackParams,
-                OnboardingNetworkState, OnboardingStateResponse, OnboardingStepRequest,
-                RegisterRequest, ResendVerificationRequest, ResetPasswordRequest, SetupRequest,
-                SetupResponse, UpdateEmailPasswordRequest, VerifyEmailRequest,
+                CheckEmailRequest, ForgotPasswordRequest, LoginRequest, OidcAuthorizeParams,
+                OidcCallbackParams, OnboardingNetworkState, OnboardingStateResponse,
+                OnboardingStepRequest, RegisterRequest, ResendVerificationRequest,
+                ResetPasswordRequest, SetupRequest, SetupResponse, UpdateEmailPasswordRequest,
+                VerifyEmailRequest,
             },
             base::{LoginRegisterParams, PendingNetworkSetup, PendingSetup},
             oidc::{OidcFlow, OidcPendingAuth, OidcProviderMetadata, OidcRegisterParams},
@@ -14,7 +15,7 @@ use crate::server::{
             auth::AuthenticatedEntity,
             permissions::{Authorized, IsUser},
         },
-        oidc::OidcService,
+        oidc::{OidcRegisterResult, OidcService},
     },
     config::{AppState, DeploymentType, get_deployment_type},
     daemon_api_keys::r#impl::base::{DaemonApiKey, DaemonApiKeyBase},
@@ -24,15 +25,18 @@ use crate::server::{
     shared::{
         events::types::{TelemetryEvent, TelemetryOperation},
         services::traits::CrudService,
+        storage::filter::StorableFilter,
         storage::traits::Storable,
         types::api::{ApiError, ApiErrorResponse, ApiResponse, ApiResult, EmptyApiResponse},
+        types::error_codes::ErrorCode,
     },
     snmp_credentials::r#impl::base::{SnmpCredential, SnmpCredentialBase, SnmpVersion},
     topology::types::base::{Topology, TopologyBase},
     users::r#impl::base::User,
 };
 use axum::{
     extract::{Path, Query, State},
+    http::StatusCode,
     response::{Json, Redirect},
     routing::get,
 };
@@ -51,6 +55,7 @@ pub const DEMO_HOST: &str = "demo.scanopy.net";
 
 pub fn create_router() -> OpenApiRouter<Arc<AppState>> {
     OpenApiRouter::new()
+        .routes(routes!(check_email))
         .routes(routes!(register))
         .routes(routes!(login))
         .routes(routes!(logout))
@@ -70,6 +75,36 @@ pub fn create_router() -> OpenApiRouter<Arc<AppState>> {
         .routes(routes!(resend_verification))
 }
 
+#[utoipa::path(
+    post,
+    path = "/check-email",
+    tags = ["auth", "internal"],
+    request_body = CheckEmailRequest,
+    responses(
+        (status = 200, description = "Email is available", body = EmptyApiResponse),
+        (status = 409, description = "Email already in use", body = ApiErrorResponse),
+    )
+)]
+async fn check_email(
+    State(state): State<Arc<AppState>>,
+    Json(request): Json<CheckEmailRequest>,
+) -> ApiResult<Json<ApiResponse<()>>> {
+    let existing = state
+        .services
+        .user_service
+        .get_all(StorableFilter::<User>::new_from_email(&request.email))
+        .await?;
+    if !existing.is_empty() {
+        return Err(ApiError::coded(
+            StatusCode::CONFLICT,
+            ErrorCode::UserEmailInUse {
+                email: request.email.to_string(),
+            },
+        ));
+    }
+    Ok(Json(ApiResponse::success(())))
+}
+
 #[utoipa::path(
     post,
     path = "/register",
@@ -117,6 +152,21 @@ async fn register(
         ));
     }
 
+    // Check if email is already in use
+    let existing = state
+        .services
+        .user_service
+        .get_all(StorableFilter::<User>::new_from_email(&request.email))
+        .await?;
+    if !existing.is_empty() {
+        return Err(ApiError::coded(
+            StatusCode::CONFLICT,
+            ErrorCode::UserEmailInUse {
+                email: request.email.to_string(),
+            },
+        ));
+    }
+
     let user_agent = user_agent.map(|u| u.to_string());
 
     // Check for pending invite
@@ -1388,7 +1438,12 @@ async fn handle_register_flow(
         )
         .await
     {
-        Ok(user) => {
+        Ok(result) => {
+            let (user, is_new_user) = match result {
+                OidcRegisterResult::NewUser(user) => (user, true),
+                OidcRegisterResult::ExistingUser(user) => (user, false),
+            };
+
             // Cycle session ID to prevent session fixation attacks
             if let Err(e) = session.cycle_id().await {
                 tracing::error!("Failed to cycle session ID: {}", e);
@@ -1409,35 +1464,48 @@ async fn handle_register_flow(
                 )));
             }
 
-            // If this is a new org and setup was provided, apply it
-            if is_new_org {
+            // Only apply pending setup for new users in new orgs
+            if is_new_user && is_new_org {
                 if let Some(setup) = pending_setup
                     && let Err(e) = apply_pending_setup(&state, &user, setup).await
                 {
                     tracing::error!("Failed to apply pending setup: {:?}", e);
                     // Don't fail registration, just log the error
                     // The user can complete onboarding manually
                 }
-
-                // Clear pending setup data from session
-                clear_pending_setup(&session).await;
             }
 
+            // Clear pending setup data from session
+            clear_pending_setup(&session).await;
+
             // Clear OIDC session data
             let _ = session.remove::<OidcPendingAuth>("oidc_pending_auth").await;
             let _ = session.remove::<String>("oidc_provider_slug").await;
             let _ = session.remove::<String>("oidc_return_url").await;
             let _ = session.remove::<bool>("oidc_terms_accepted").await;
             let _ = session.remove::<bool>("oidc_marketing_opt_in").await;
 
-            Ok(Redirect::to(return_url.as_str()))
+            if is_new_user {
+                Ok(Redirect::to(return_url.as_str()))
+            } else {
+                // Existing user auto-logged in — send to app root, not onboarding
+                Ok(Redirect::to("/"))
+            }
         }
         Err(e) => {
             tracing::error!("Failed to register via OIDC: {}", e);
+            let error_msg = format!("Failed to register: {}", e);
+            let err_str = e.to_string();
+            let error_code = if err_str.contains("already exists") {
+                "&error_code=user_email_in_use"
+            } else {
+                ""
+            };
             Err(Redirect::to(&format!(
-                "{}?error={}",
+                "{}?error={}{}",
                 return_url,
-                urlencoding::encode(&format!("Failed to register: {}", e))
+                urlencoding::encode(&error_msg),
+                error_code
             )))
         }
     }
 
@@ -43,6 +43,13 @@ fn validate_password_complexity(password: &str) -> Result<(), validator::Validat
     Ok(())
 }
 
+/// Check email availability request
+#[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
+pub struct CheckEmailRequest {
+    #[schema(value_type = String, format = "email")]
+    pub email: EmailAddress,
+}
+
 /// Session user info (stored in session, not in database)
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct SessionUser {
 
@@ -51,10 +51,10 @@ fn get_limiters() -> &'static RateLimiters {
                 Quota::per_minute(NonZeroU32::new(300).unwrap())
                     .allow_burst(NonZeroU32::new(150).unwrap()),
             )),
-            // Anonymous/unauthenticated: 20 requests per minute with burst of 5
+            // Anonymous/unauthenticated: 40 requests per minute with burst of 10
             anonymous: Arc::new(RateLimiter::keyed(
-                Quota::per_minute(NonZeroU32::new(20).unwrap())
-                    .allow_burst(NonZeroU32::new(5).unwrap()),
+                Quota::per_minute(NonZeroU32::new(40).unwrap())
+                    .allow_burst(NonZeroU32::new(10).unwrap()),
             )),
             // External services (Prometheus, etc.): 60 requests per minute with burst of 10
             // Sufficient for typical 15-30 second scrape intervals
@@ -160,16 +160,16 @@ fn check_anonymous(ip: IpAddr) -> Result<RateLimitInfo, RateLimitInfo> {
 
     match limiters.anonymous.check_key(&key) {
         Ok(_) => Ok(RateLimitInfo {
-            limit: 20,
-            remaining: 19,
+            limit: 40,
+            remaining: 39,
             reset_in_secs: 60,
         }),
         Err(not_until) => {
             let wait_time = not_until
                 .wait_time_from(DefaultClock::default().now())
                 .as_secs();
             Err(RateLimitInfo {
-                limit: 20,
+                limit: 40,
                 remaining: 0,
                 reset_in_secs: wait_time,
             })
 
@@ -28,6 +28,14 @@ use crate::server::{
     users::{r#impl::base::User, service::UserService},
 };
 
+/// Result of OIDC register — distinguishes new registration from auto-login of existing user
+pub enum OidcRegisterResult {
+    /// Brand new user was created
+    NewUser(User),
+    /// Existing user was found and logged in (OIDC subject or email matched)
+    ExistingUser(User),
+}
+
 pub struct OidcService {
     providers: HashMap<String, Arc<OidcProvider>>,
     auth_service: Arc<AuthService>,
@@ -93,14 +101,14 @@ impl OidcService {
         self.providers.is_empty()
     }
 
-    /// Register new user via OIDC (fails if account already exists)
+    /// Register new user via OIDC, or auto-login if account already exists
     pub async fn register(
         &self,
         pending_auth: OidcPendingAuth,
         params: LoginRegisterParams,
         oidc_register_params: OidcRegisterParams<'_>,
         pending_setup: Option<PendingSetup>,
-    ) -> Result<User> {
+    ) -> Result<OidcRegisterResult> {
         let OidcRegisterParams {
             provider_slug,
             code,
@@ -125,16 +133,32 @@ impl OidcService {
         // Exchange code for user info using provider
         let user_info = provider.exchange_code(code, &pending_auth).await?;
 
-        // Check if user already exists with this OIDC account
-        if let Some(_existing_user) = self
+        // If user already exists with this OIDC account, log them in
+        if let Some(existing_user) = self
             .user_service
             .get_user_by_oidc(&user_info.subject)
             .await?
         {
-            return Err(anyhow!(
-                "An account with this {} login already exists. Please use the login flow instead.",
-                provider.name
-            ));
+            let authentication: AuthenticatedEntity = existing_user.clone().into();
+            self.event_bus
+                .publish_auth(AuthEvent {
+                    id: Uuid::new_v4(),
+                    user_id: Some(existing_user.id),
+                    organization_id: Some(existing_user.base.organization_id),
+                    timestamp: Utc::now(),
+                    operation: AuthOperation::LoginSuccess,
+                    ip_address: ip,
+                    user_agent,
+                    metadata: serde_json::json!({
+                        "method": "oidc",
+                        "provider": provider.slug,
+                        "provider_name": provider.name,
+                        "via_register_flow": true
+                    }),
+                    authentication,
+                })
+                .await?;
+            return Ok(OidcRegisterResult::ExistingUser(existing_user));
         }
 
         // Parse or create fallback email
@@ -154,6 +178,66 @@ impl OidcService {
             ));
         }
 
+        // Check if email is already in use by another account
+        let existing = self
+            .user_service
+            .get_all(
+                crate::server::shared::storage::filter::StorableFilter::<User>::new_from_email(
+                    &email,
+                ),
+            )
+            .await?;
+        if !existing.is_empty() {
+            // Auto-link OIDC identity to existing account and log them in
+            let mut existing_user = existing.into_iter().next().unwrap();
+
+            // If already linked to a different OIDC provider, don't override
+            if let Some(existing_provider) = &existing_user.base.oidc_provider
+                && existing_provider != &provider.slug
+            {
+                let existing_provider_name = self
+                    .get_provider(existing_provider)
+                    .map(|p| p.name.as_str())
+                    .unwrap_or(existing_provider.as_str());
+                return Err(anyhow!(
+                    "This account is already linked to {}. Please sign in with {} or unlink it first.",
+                    existing_provider_name,
+                    existing_provider_name
+                ));
+            }
+
+            existing_user.base.oidc_provider = Some(provider.slug.clone());
+            existing_user.base.oidc_subject = Some(user_info.subject);
+            existing_user.base.oidc_linked_at = Some(chrono::Utc::now());
+
+            let authentication: AuthenticatedEntity = existing_user.clone().into();
+
+            self.event_bus
+                .publish_auth(AuthEvent {
+                    id: Uuid::new_v4(),
+                    user_id: Some(existing_user.id),
+                    organization_id: Some(existing_user.base.organization_id),
+                    timestamp: Utc::now(),
+                    operation: AuthOperation::OidcLinked,
+                    ip_address: ip,
+                    user_agent,
+                    metadata: serde_json::json!({
+                        "method": "oidc",
+                        "provider": provider.slug,
+                        "provider_name": provider.name,
+                        "auto_linked": true
+                    }),
+                    authentication: authentication.clone(),
+                })
+                .await?;
+
+            let updated = self
+                .user_service
+                .update(&mut existing_user, authentication)
+                .await?;
+            return Ok(OidcRegisterResult::ExistingUser(updated));
+        }
+
         // Register new user
         let user = self
             .auth_service
@@ -195,7 +279,7 @@ impl OidcService {
             })
             .await?;
 
-        Ok(user)
+        Ok(OidcRegisterResult::NewUser(user))
     }
 
     /// Login existing user via OIDC (fails if account doesn't exist)
 
@@ -470,7 +470,7 @@ pub async fn setup_authenticated_user(client: &TestClient) -> Result<User, Strin
             println!("✅ Registered new user: {}", user.base.email);
             Ok(user)
         }
-        Err(e) if e.contains("already taken") => {
+        Err(e) if e.contains("already taken") || e.contains("already in use") => {
             println!("User already exists, logging in...");
             client.login(&test_email, TEST_PASSWORD).await
         }
Original file line number	Diff line number	Diff line change
`@@ -470,7 +470,7 @@ pub async fn setup_authenticated_user(client: &TestClient) -> Result<User, Strin`
`470`	`470`	`println!("✅ Registered new user: {}", user.base.email);`
`471`	`471`	`Ok(user)`
`472`	`472`	`}`
`473`		`- Err(e) if e.contains("already taken") => {`
	`473`	`+ Err(e) if e.contains("already taken") \|\| e.contains("already in use") => {`
`474`	`474`	`println!("User already exists, logging in...");`
`475`	`475`	`client.login(&test_email, TEST_PASSWORD).await`
`476`	`476`	`}`