fix: Check for existing device when creating oauth session

2026-06-09 10:11:48 +00:00 · 2026-06-08 10:38:00 -04:00
parent d4eff0256c
commit 476f5249ce
1 changed files with 14 additions and 0 deletions
@@ -350,6 +350,20 @@ async fn create_session(
 			})
 			.ok_or_else(|| OAuthError::invalid_grant("No device ID scope supplied"))?;

+		if self
+			.services
+			.users
+			.get_device_metadata(&authorizing_user, device_id)
+			.await
+			.is_ok()
+		{
+			return Err(OAuthError {
+				error: ErrorCode::InvalidScope,
+				error_description: "A device with the supplied ID already exists for this user"
+					.into(),
+			});
+		}
+
 		self.services
 			.users
 			.create_device(