* ZOD-341-junior-a-child-can-edit-their-email-to-an-existing-email-causing-multiple-child-accounts-to-share-the-same-login

src/user/dtos/request/update-user.request.dto.ts

@@ -1,5 +1,5 @@
 import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
-import { IsDateString, IsEnum, IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';
+import { IsDateString, IsEmail, IsEnum, IsNotEmpty, IsOptional, IsString, IsUUID } from 'class-validator';
 import { i18nValidationMessage as i18n } from 'nestjs-i18n';
 import { Gender } from '~/customer/enums';
 export class UpdateUserRequestDto {
@@ -15,6 +15,11 @@ export class UpdateUserRequestDto {
   @IsOptional()
   lastName!: string;
 
+  @ApiPropertyOptional({ example: 'child@example.com' })
+  @IsEmail({}, { message: i18n('validation.IsEmail', { path: 'general', property: 'user.email' }) })
+  @IsOptional()
+  email!: string;
+
   @ApiProperty({ example: '123e4567-e89b-12d3-a456-426614174000' })
   @IsUUID('4', { message: i18n('validation.IsUUID', { path: 'general', property: 'user.profilePictureId' }) })
   @IsOptional()

src/user/services/user.service.ts

@@ -191,6 +191,14 @@ export class UserService {
   async updateUser(userId: string, data: UpdateUserRequestDto) {
     await this.validateProfilePictureId(data.profilePictureId, userId);
 
+    if (data.email) {
+      const userWithEmail = await this.findUser({ email: data.email });
+      if (userWithEmail && userWithEmail.id !== userId) {
+        this.logger.error(`Email ${data.email} is already taken by another user`);
+        throw new BadRequestException('USER.EMAIL_ALREADY_TAKEN');
+      }
+    }
+
     this.logger.log(`Updating user ${userId} with data ${JSON.stringify(data)}`);
     
     const { gender, dateOfBirth, ...userData } = data;