Email already in Use

[sajjadahmedcfc]

What happened?

If I re-enter the same email in the registration form, it still returns a 200 response and redirects to the login page.

Steps to Reproduce

1. Go to the Sign-Up page.
2. Re-enter the same email address you used previously to log in.
3. It redirects to the Sign-In page without applying any changes made during Sign-Up."

What browsers are you seeing the problem on?

Firefox, Chrome, Safari, Microsoft Edge, Mobile (Android), Mobile (iOS)

Screenshots

if (existingUser) {
      logger.info(
        'Register User - Email in use',
        { name: 'Request params:', value: user },
        { name: 'Existing user:', value: existingUser },
      );

      // Sleep for 1 second
      await new Promise((resolve) => setTimeout(resolve, 1000));
      return { status: 200, message: genericVerificationMessage };
    }

This is your code. While registering the user, you should send a status like 419 or another appropriate one to make it work. Also, update the genericVerificationMessage to something more meaningful.

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

This is a security best practice, as It does this to obfuscate so an attacker is unaware of an email being in use, otherwise known as "username enumeration prevention"

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account

[sajjadahmedcfc]

Thanks, Danny, for the response. I recommend showing a failed sign-up message in this case instead of making the user believe they have created an account with new credentials etc.