diff --git a/backend/src/routes/auth.routes.ts b/backend/src/routes/auth.routes.ts
index 45f1380..e7adebe 100644
--- a/backend/src/routes/auth.routes.ts
+++ b/backend/src/routes/auth.routes.ts
@@ -1,4 +1,6 @@
 import { Router, Request, Response } from "express";
+import { AppDataSource } from "../config/data-source";
+import { User } from "../entities/User";
 import { requireAuth, AuthenticatedRequest } from "../middleware/auth.middleware";
 
 const router = Router();
@@ -43,11 +45,27 @@ router.post("/session", async (req: Request, res: Response): Promise<void> => {
       error?: string;
     };
 
-    if (!response.ok || !data.data?.valid) {
+    if (!response.ok || !data.data?.valid || !data.data.user) {
       res.status(401).json({ success: false, error: "INVALID_TOKEN" });
       return;
     }
 
+    // Upsert user en DB — crée si premier login, met à jour email/nickname sinon
+    const oauthUser = data.data.user as { id: string; email: string | null; nickname: string };
+    const userRepo = AppDataSource.getRepository(User);
+    let dbUser = await userRepo.findOne({ where: { superOAuthId: oauthUser.id } });
+    if (!dbUser) {
+      dbUser = userRepo.create({
+        superOAuthId: oauthUser.id,
+        email: oauthUser.email,
+        nickname: oauthUser.nickname,
+      });
+    } else {
+      dbUser.email = oauthUser.email;
+      dbUser.nickname = oauthUser.nickname;
+    }
+    await userRepo.save(dbUser);
+
     res.cookie(COOKIE_NAME, token, COOKIE_OPTIONS);
     res.json({ success: true, data: { user: data.data.user } });
   } catch {