From 476f5249cee78279eaa13cf75fc0c57f53262ed4 Mon Sep 17 00:00:00 2001
From: Ginger <ginger@gingershaped.computer>
Date: Mon, 8 Jun 2026 10:38:00 -0400
Subject: [PATCH] fix: Check for existing device when creating oauth session

---
 src/service/oauth/mod.rs | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/service/oauth/mod.rs b/src/service/oauth/mod.rs
index c0c25f8a4..0ea0a85f2 100644
--- a/src/service/oauth/mod.rs
+++ b/src/service/oauth/mod.rs
@@ -350,6 +350,20 @@ async fn create_session(
 			})
 			.ok_or_else(|| OAuthError::invalid_grant("No device ID scope supplied"))?;
 
+		if self
+			.services
+			.users
+			.get_device_metadata(&authorizing_user, device_id)
+			.await
+			.is_ok()
+		{
+			return Err(OAuthError {
+				error: ErrorCode::InvalidScope,
+				error_description: "A device with the supplied ID already exists for this user"
+					.into(),
+			});
+		}
+
 		self.services
 			.users
 			.create_device(