Closed rolodato closed 3 months ago
Hey, if you haven't solved this, can I take this up? I am looking to contribute to flagsmith, and this can be a good issue to start with
Sure! Will assign!
I prefer the "alternative" so we don't leak information here.
Yup, the alternative looks a better way to me too from a user point of view, will start working on it, thanks
I've clarified this now in the original issue - please note that Flagsmith does not currently send confirmation emails, so that approach will take a lot more work.
My opinion would be to go with the first approach for now. Being an open source project it doesn't make much sense to obfuscate the message - it's trivial to see that trying to sign up with a valid email and receiving "Invalid email address" means that the email is already registered, i.e. we're leaking the information anyway, just in a way that is confusing to customers. Later on we can implement the second approach.
understood
Hey guys, to be on the same page, this is the exact error right? Took me very long to setup the project, will be raising an issue to improve the contributing.md 🚀
Is this error message okay? or something else?
Can we have Email already exists. Please Login.
okay done
Sorry for nitpicking - this should be Email already exists. Please log in.
, since "login" is not a verb or a proper noun.
opened a pr #3924 , ignore 21aa6c9 (irrelevant), i pushed it by mistake on my fork
How are you running Flagsmith
Describe the bug
In https://github.com/Flagsmith/flagsmith/issues/1089, the signup logic was changed to return "Invalid email address" when trying to sign up a new account with an existing email address. This is a bug.
Steps To Reproduce
Expected behavior
The error message should state that the account already exists, and maybe suggest that the user logs in instead. Trying to obfuscate this message is mostly security theatre and does not provide any real security benefit.
One alternative could be to allow the signup flow to continue if the account already exists, showing a message like "Check your email to proceed with signup". We could send an email to the user in this case saying that someone tried to sign up with their email, and suggest they log in instead. If their email does not already exist, send them a confirmation email. Note that Flagsmith does not currently send confirmation emails.
Screenshots
No response