Skip to content

bug: duplicate username provisioning exposes raw database IntegrityError #318

Description

@jsell-rh

Summary

When two SSO users share the same preferred_username claim, the second user's JIT provisioning fails with a raw SQLAlchemy IntegrityError that propagates to the caller. This should be caught and converted to a domain-level error.

Expected Behavior

Per specs/iam/users.spec.md:

  • The second provisioning fails with a provisioning conflict error
  • The error does not expose database internals

Actual Behavior

iam/application/services/user_service.py:96-102 catches all exceptions, logs them, and re-raises unchanged:

except Exception as e:
    self._probe.user_provision_failed(...)
    raise

The user repository (iam/infrastructure/user_repository.py) has no IntegrityError handling — it propagates as a raw database exception, which surfaces as a 500 Internal Server Error with SQLAlchemy details in the response.

Impact

  • Exposes database internals (table names, constraint names) in error responses
  • Returns 500 instead of a meaningful error code (409 Conflict)
  • No actionable error message for the caller

Fix

Catch IntegrityError in the user repository or service layer, check for the username uniqueness constraint, and raise a domain exception (e.g., DuplicateUsernameError) that maps to 409 Conflict.

References

  • specs/iam/users.spec.md — "Duplicate username" scenario

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions