Currently, the account registration endpoint returns a 409 conflict code if the email or username is already taken. This is a security vulnerabililty because it can be used to guess users' email addresses. Instead, the enpoint should return a 409 status code if the username specified is not available but not if the email specified is already used. If the username is not taken, A status code such as 202 accepted should be returned to indicate that the operation is in progress but may fail if the email has already be used. If the email is in fact already in use, an email should be sent to it that explains that someone just tried to register an account with it. If the email is not in use, an account confirmation record should be generated and a link to confirm the account should be sent to the email.
Affected Functionality
The registration endpoint will have to be changed to match the functionality described above. Because this is a breaking API change, the frontend will need to be notified.
Currently, the account registration endpoint returns a 409 conflict code if the email or username is already taken. This is a security vulnerabililty because it can be used to guess users' email addresses. Instead, the enpoint should return a 409 status code if the username specified is not available but not if the email specified is already used. If the username is not taken, A status code such as 202 accepted should be returned to indicate that the operation is in progress but may fail if the email has already be used. If the email is in fact already in use, an email should be sent to it that explains that someone just tried to register an account with it. If the email is not in use, an account confirmation record should be generated and a link to confirm the account should be sent to the email.
Affected Functionality
The registration endpoint will have to be changed to match the functionality described above. Because this is a breaking API change, the frontend will need to be notified.
Other Relevant Issues
176