Currently, we prevent malicious users from obtaining information on the e-mails in our database by giving a non-informative error ("Could not create user, username or e-mail already in use.")
However, this causes unnecessary confusion for users and will still allow malicious actors to obtain information, by using a very unlikely username and checking all e-mails nonetheless.
Upon creating a user, an e-mail needs to be sent to the user's e-mail address, to verify that they have access to that e-mail.
Successfully solving this issue would require:
A new endpoint /register/request (This is the old /register endpoint, taking username, e-mail and password as input.)
A new endpoint /register/confirm?token=..., which takes only a JWT as input, which will confirm the user's registration.
Currently, we prevent malicious users from obtaining information on the e-mails in our database by giving a non-informative error ("Could not create user, username or e-mail already in use.")
However, this causes unnecessary confusion for users and will still allow malicious actors to obtain information, by using a very unlikely username and checking all e-mails nonetheless.
Upon creating a user, an e-mail needs to be sent to the user's e-mail address, to verify that they have access to that e-mail.
Successfully solving this issue would require: