Do not allow overriding users when uuid is duplicate

homeassistant/auth/auth_store.py

@@ -120,6 +120,9 @@ class AuthStore:
 
         new_user = models.User(**kwargs)
 
+        while new_user.id in self._users:
+            new_user = models.User(**kwargs)
+
         self._users[new_user.id] = new_user
 
         if credentials is None:

tests/auth/test_auth_store.py

@@ -2,7 +2,7 @@
 
 import asyncio
 from typing import Any
-from unittest.mock import patch
+from unittest.mock import PropertyMock, patch
 
 from freezegun.api import FrozenDateTimeFactory
 import pytest
@@ -300,6 +300,20 @@ async def test_loading_does_not_write_right_away(
     assert hass_storage[auth_store.STORAGE_KEY] != {}
 
 
+async def test_duplicate_uuid(
+    hass: HomeAssistant, hass_storage: dict[str, Any]
+) -> None:
+    """Test we don't override user if we have a duplicate user ID."""
+    hass_storage[auth_store.STORAGE_KEY] = MOCK_STORAGE_DATA
+    store = auth_store.AuthStore(hass)
+    await store.async_load()
+    with patch("uuid.UUID.hex", new_callable=PropertyMock) as hex_mock:
+        hex_mock.side_effect = ["user-id", "new-id"]
+        user = await store.async_create_user("Test User")
+    assert len(hex_mock.mock_calls) == 2
+    assert user.id == "new-id"
+
+
 async def test_add_remove_user_affects_tokens(
     hass: HomeAssistant, hass_storage: dict[str, Any]
 ) -> None: