GitHub username collisions can prevent first-time OAuth login and incorrectly reject valid users

[Ridanshi]

Summary

The GitHub OAuth onboarding flow assumes GitHub usernames can be mapped directly into DevCard usernames.

When a GitHub username already exists within DevCard, first-time authentication may fail even though the accounts belong to different users.

Affected Files

• auth.ts
• userService.ts

Root Cause

The onboarding flow attempts to create user records using GitHub-derived usernames without sufficient collision handling.

When the username already exists, account creation fails despite the user being otherwise valid.

Reproduction

1. Create a DevCard account using a specific username.
2. Attempt GitHub OAuth login from a different GitHub account using the same username.
3. Observe account creation failure.
4. Verify that the email and GitHub account are otherwise valid.

Expected Behavior

Username collisions should be resolved gracefully.

Actual Behavior

Authentication fails because the username is already taken.

Why This Is Difficult To Detect

Most testing uses unique accounts.

The issue only appears when usernames overlap.

Production Impact

• Failed onboarding
• User frustration
• Prevented GitHub adoption
• Support burden

Suggested Fix

Introduce deterministic username conflict resolution during onboarding.

Severity

Medium-High

[Ridanshi]

I investigated this issue and would like to work on it.

The current GitHub onboarding flow appears to assume username uniqueness without handling collisions robustly.

I plan to:

• review username allocation logic
• preserve existing onboarding behavior
• implement safe collision resolution
• add regression tests covering duplicate username scenarios

Please assign this issue to me.