feat: Prevent ldap email based account when there are deplicate emails

[ireneea]

Summary

Prevent account take over and privilege escalation via attacker changing LDAP email to match victims account.
This is done by preventing auto-linking of account when the LDAP records has multiple users with the same email

Related Linear tickets, Github issues, and Community forum posts

Resolves PAY-4089

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

---

Note

Adds enforceEmailUniqueness to LDAP config (default true) and blocks LDAP login when multiple directory entries share the same email; exposes toggle in settings UI and updates tests.

• Backend:
  • Add enforceEmailUniqueness: boolean to LdapConfig with secure defaulting in loadConfig() and LDAP_DEFAULT_CONFIGURATION.
  • Implement duplicate-email check hasEmailDuplicatesInLdap() and enforce in handleLdapLogin() to block auto-linking when duplicates detected.
  • Update validation schema (ldap.ee/constants.ts) and non-sensitive config list to include enforceEmailUniqueness.
  • Extend REST API client LdapConfig to include enforceEmailUniqueness.
• Frontend:
  • Add settings toggle enforceEmailUniqueness in SettingsLdapView.vue with i18n strings, and persist via updateLdapConfig().
• Tests:
  • Add unit tests for login behavior with duplicate emails when enforcement is enabled/disabled.

^{Written by Cursor Bugbot for commit 8cf9f0b. This will update automatically on new commits. Configure here.}

[bundlemon]

BundleMon

Unchanged files (2)

Status	Path	Size	Limits
✅	WASM Dependencies tree-sitter-bash.wasm	181.26KB	-
✅	WASM Dependencies tree-sitter.wasm	74.47KB	-

No change in files bundle size

Groups updated (2)

Status	Path	Size	Limits
✅	**/*.js	11.33MB (+39.9KB +0.35%)	-
✅	**/*.css	220.82KB (+51B +0.02%)	-

Final result: ✅

View report in BundleMon website ➡️

---

Current branch size history | Target branch size history

[codecov]

Codecov Report

❌ Patch coverage is 83.33333% with 4 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
packages/cli/src/ldap.ee/ldap.service.ee.ts	69.23%	4 Missing ⚠️

📢 Thoughts on this report? Let us know!

[cubic-dev-ai]

1 issue found across 7 files

Prompt for AI agents (all 1 issues)

Understand the root cause of the following 1 issues and fix them.


<file name="packages/cli/src/ldap.ee/__tests__/ldap.service.test.ts">

<violation number="1" location="packages/cli/src/ldap.ee/__tests__/ldap.service.test.ts:1446">
This assertion is inverted: with an existing LDAP auth identity, handleLdapLogin should bypass duplicate-email blocking and return the user, but the test still expects undefined because getAuthIdentityByLdapId stays mocked to null. Update the test to mock an existing identity and expect the login to succeed.</violation>
</file>

_{React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[currents-bot]

✅

E2E Tests: n8n tests passed after 6m 49.8s

🟢 585 · 🔴 0 · ⚪️ 12 · 🟣 3

View Run Details

Run Details

• Project: n8n

• Groups: 2

• Framework: Playwright

• Run Status: Passed

• Commit: 8cf9f0b

• Spec files: 96

• Overall tests: 597

• Duration: 6m 49.8s

• Parallelization: 8

Groups

GroupId	Results	Spec Files Progress
ui	🟢 530 · 🔴 0 · ⚪️ 12 · 🟣 2	89 / 89
ui:isolated	🟢 55 · 🔴 0 · ⚪️ 0 · 🟣 1	7 / 7

---

This message was posted automatically by currents.dev | Integration Settings

[n8n-assistant]

Got released with [email protected]