Solved a bug where users could change their e-mail to another user's email

src/pages/api/users/update.ts

@@ -12,7 +12,7 @@ import moment from "moment";
 import ShortUniqueId from "short-unique-id";
 import {Payment} from "@/interfaces/paypal";
 import {toFixedNumber} from "@/utils/number";
-import { propagateStatusChange } from '@/utils/propagate.user.changes';
+import {propagateStatusChange} from "@/utils/propagate.user.changes";
 
 const db = getFirestore(app);
 const auth = getAuth(app);
@@ -85,7 +85,7 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 		const user = await setDoc(userRef, updatedUser, {merge: true});
 		await managePaymentRecords(updatedUser, updatedUser.id);
 
-		if(updatedUser.status) {
+		if (updatedUser.status) {
 			// there's no await as this does not affect the user
 			propagateStatusChange(queryId, updatedUser.status);
 		}
@@ -117,6 +117,12 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 
 	if (updatedUser.email !== req.session.user.email && updatedUser.password) {
 		try {
+			const usersWithSameEmail = await getDocs(query(collection(db, "users"), where("email", "==", updatedUser.email.toLowerCase())));
+			if (usersWithSameEmail.docs.length > 0) {
+				res.status(400).json({error: "E003", message: errorMessages.E003});
+				return;
+			}
+
 			const credential = await signInWithEmailAndPassword(auth, req.session.user.email, updatedUser.password);
 			await updateEmail(credential.user, updatedUser.email);
 
@@ -142,7 +148,7 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 		}
 	}
 
-	if(updatedUser.status) {
+	if (updatedUser.status) {
 		// there's no await as this does not affect the user
 		propagateStatusChange(req.session.user.id, updatedUser.status);
 	}