Is there a reason why creating an account with an email already registered doesn't return an error?

[dlhck]

Migrated from #746

Is there a reason why creating an account with an email already registered doesn't return an error?

Update - more information

Running the following mutation multiple times with the same credentials always returns success.

mutation Register($input: RegisterCustomerInput!) {
  registerCustomerAccount(input: $input) {
    __typename
    ... on Success {
      success
    }
    ...ErrorResult
  }
}

fragment ErrorResult on ErrorResult {
  errorCode
  message
}

Here are the two cases I could think of:

1. If the user registered, but has not yet verified his account. Any subsequent registration attempt with the same credentials returns success. Also, multiple verification emails are sent. If different passwords were specified during the registration attempts, the first one is the one recorded in the database. You could see how this might confuse customers.

2. If the account is verified, any subsequent registration attempt returns success.

Looking at the error codes currently used, it seems like it should return:

• EMAIL_ADDRESS_CONFLICT_ERROR for case (2)

• Either EMAIL_ADDRESS_CONFLICT_ERROR or NOT_VERIFIED (subject to issue Exception when try to login with a not validated account #500) for case (1), although I prefer the latter as it is more informative to the customer.

I'm now aware of commit b1ffa1e that makes the registration mutation silently fail to protect user data. You're trading off extra security for customer experience. As a user, I often forget if I have an account on a particular website - especially if I don't use it often. I'm curious to hear what you think.

Originally posted by @marwand in #33 (comment)