To reproduce:
Have a user sign up with an identifier (email or mobile), but before they visit the URL to verify their identifier, have them invite "someone else" at this exact same identifier. It will work, because the identifier hasn't been verified for this user yet. And then, they go and verify this identifier for themselves, log out, and accept the invite. The result: the same identifier is verified for both user accounts. The last one wins.
What should we do in this case?
Probably they user shouldn't be able to invite someone at the same email or mobile address that is pending for them. But this is not a solution either, because they can still hit the bug by first inviting them, and THEN setting their identifier to the same one as they invited, and verifying it.
So I am not sure we can easily prevent the sending. But we can prevent the accepting of an invite or setting of a new identifier if it has already been verified for someone else.
To reproduce: Have a user sign up with an identifier (email or mobile), but before they visit the URL to verify their identifier, have them invite "someone else" at this exact same identifier. It will work, because the identifier hasn't been verified for this user yet. And then, they go and verify this identifier for themselves, log out, and accept the invite. The result: the same identifier is verified for both user accounts. The last one wins.
What should we do in this case? Probably they user shouldn't be able to invite someone at the same email or mobile address that is pending for them. But this is not a solution either, because they can still hit the bug by first inviting them, and THEN setting their identifier to the same one as they invited, and verifying it.
So I am not sure we can easily prevent the sending. But we can prevent the accepting of an invite or setting of a new identifier if it has already been verified for someone else.