search

Flagsmith / flagsmith

Open Source Feature Flagging and Remote Config Service. Host on-prem or use our hosted version at https://flagsmith.com/
https://flagsmith.com/
BSD 3-Clause "New" or "Revised" License
4.82k stars 369 forks source link

"Invalid email address" when account already exists #3886

Closed rolodato closed 3 months ago

rolodato commented 5 months ago

How are you running Flagsmith

Describe the bug

In https://github.com/Flagsmith/flagsmith/issues/1089, the signup logic was changed to return "Invalid email address" when trying to sign up a new account with an existing email address. This is a bug.

Steps To Reproduce

  1. Sign up to Flagsmith
  2. Try to sign up with the same email address again
  3. Error message is "Invalid email address"

Expected behavior

The error message should state that the account already exists, and maybe suggest that the user logs in instead. Trying to obfuscate this message is mostly security theatre and does not provide any real security benefit.

One alternative could be to allow the signup flow to continue if the account already exists, showing a message like "Check your email to proceed with signup". We could send an email to the user in this case saying that someone tried to sign up with their email, and suggest they log in instead. If their email does not already exist, send them a confirmation email. Note that Flagsmith does not currently send confirmation emails.

Screenshots

No response

utkarsh-1905 commented 5 months ago

Hey, if you haven't solved this, can I take this up? I am looking to contribute to flagsmith, and this can be a good issue to start with

dabeeeenster commented 5 months ago

Sure! Will assign!

dabeeeenster commented 5 months ago

I prefer the "alternative" so we don't leak information here.

utkarsh-1905 commented 5 months ago

Yup, the alternative looks a better way to me too from a user point of view, will start working on it, thanks

rolodato commented 5 months ago

I've clarified this now in the original issue - please note that Flagsmith does not currently send confirmation emails, so that approach will take a lot more work.

My opinion would be to go with the first approach for now. Being an open source project it doesn't make much sense to obfuscate the message - it's trivial to see that trying to sign up with a valid email and receiving "Invalid email address" means that the email is already registered, i.e. we're leaking the information anyway, just in a way that is confusing to customers. Later on we can implement the second approach.

utkarsh-1905 commented 5 months ago

understood

utkarsh-1905 commented 5 months ago

Hey guys, to be on the same page, this is the exact error right? Screenshot from 2024-05-10 10-55-50 Took me very long to setup the project, will be raising an issue to improve the contributing.md 🚀

utkarsh-1905 commented 5 months ago

Screenshot from 2024-05-10 13-02-33 Is this error message okay? or something else?

dabeeeenster commented 5 months ago

Can we have Email already exists. Please Login.

utkarsh-1905 commented 5 months ago

okay done

rolodato commented 5 months ago

Sorry for nitpicking - this should be Email already exists. Please log in., since "login" is not a verb or a proper noun.

utkarsh-1905 commented 5 months ago

opened a pr #3924 , ignore 21aa6c9 (irrelevant), i pushed it by mistake on my fork