EF UserStore FindByEmail will throw on dupes (#8220)

Author: HaoK

src/Identity/EntityFrameworkCore/src/UserOnlyStore.cs

@@ -502,7 +502,7 @@ public async override Task<TUser> FindByLoginAsync(string loginProvider, string
         {
             cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            return Users.FirstOrDefaultAsync(u => u.NormalizedEmail == normalizedEmail, cancellationToken);
+            return Users.SingleOrDefaultAsync(u => u.NormalizedEmail == normalizedEmail, cancellationToken);
         }
 
         /// <summary>

src/Identity/EntityFrameworkCore/src/UserStore.cs

@@ -635,7 +635,7 @@ public async override Task<TUser> FindByLoginAsync(string loginProvider, string
         {
             cancellationToken.ThrowIfCancellationRequested();
             ThrowIfDisposed();
-            return Users.FirstOrDefaultAsync(u => u.NormalizedEmail == normalizedEmail, cancellationToken);
+            return Users.SingleOrDefaultAsync(u => u.NormalizedEmail == normalizedEmail, cancellationToken);
         }
 
         /// <summary>

src/Identity/EntityFrameworkCore/test/EF.Test/UserOnlyTest.cs

@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Builder.Internal;
 using Microsoft.AspNetCore.Identity.Test;
@@ -65,5 +66,27 @@ public async Task EnsureStartupUsageWorks()
             IdentityResultAssert.IsSuccess(await userManager.CreateAsync(user, password));
             IdentityResultAssert.IsSuccess(await userManager.DeleteAsync(user));
         }
+
+        [ConditionalFact]
+        [FrameworkSkipCondition(RuntimeFrameworks.Mono)]
+        [OSSkipCondition(OperatingSystems.Linux)]
+        [OSSkipCondition(OperatingSystems.MacOSX)]
+        public async Task FindByEmailThrowsWithTwoUsersWithSameEmail()
+        {
+            var userStore = _builder.ApplicationServices.GetRequiredService<IUserStore<IdentityUser>>();
+            var manager = _builder.ApplicationServices.GetRequiredService<UserManager<IdentityUser>>();
+
+            Assert.NotNull(userStore);
+            Assert.NotNull(manager);
+
+            var userA = new IdentityUser(Guid.NewGuid().ToString());
+            userA.Email = "[email protected]";
+            const string password = "1qaz@WSX";
+            IdentityResultAssert.IsSuccess(await manager.CreateAsync(userA, password));
+            var userB = new IdentityUser(Guid.NewGuid().ToString());
+            userB.Email = "[email protected]";
+            IdentityResultAssert.IsSuccess(await manager.CreateAsync(userB, password));
+            await Assert.ThrowsAsync<InvalidOperationException>(async () => await manager.FindByEmailAsync("[email protected]"));
+        }
     }
 }

src/Identity/EntityFrameworkCore/test/EF.Test/UserStoreTest.cs

@@ -208,6 +208,23 @@ public async Task TwoUsersSamePasswordDifferentHash()
             Assert.NotEqual(userA.PasswordHash, userB.PasswordHash);
         }
 
+        [ConditionalFact]
+        [FrameworkSkipCondition(RuntimeFrameworks.Mono)]
+        [OSSkipCondition(OperatingSystems.Linux)]
+        [OSSkipCondition(OperatingSystems.MacOSX)]
+        public async Task FindByEmailThrowsWithTwoUsersWithSameEmail()
+        {
+            var manager = CreateManager();
+            var userA = new IdentityUser(Guid.NewGuid().ToString());
+            userA.Email = "[email protected]";
+            IdentityResultAssert.IsSuccess(await manager.CreateAsync(userA, "password"));
+            var userB = new IdentityUser(Guid.NewGuid().ToString());
+            userB.Email = "[email protected]";
+            IdentityResultAssert.IsSuccess(await manager.CreateAsync(userB, "password"));
+            await Assert.ThrowsAsync<InvalidOperationException>(async () => await manager.FindByEmailAsync("[email protected]"));
+
+        }
+
         [ConditionalFact]
         [FrameworkSkipCondition(RuntimeFrameworks.Mono)]
         [OSSkipCondition(OperatingSystems.Linux)]

src/Identity/Extensions.Core/src/UserManager.cs

@@ -1393,6 +1393,8 @@ public virtual async Task<IdentityResult> SetEmailAsync(TUser user, string email
 
         /// <summary>
         /// Gets the user, if any, associated with the normalized value of the specified email address.
+        /// Note: Its recommended that identityOptions.User.RequireUniqueEmail be set to true when using this method, otherwise
+        /// the store may throw if there are users with duplicate emails.
         /// </summary>
         /// <param name="email">The email address to return the user for.</param>
         /// <returns>