/auth/register should have the option to mask response to prevent existing users from being discovered #213
Comments
oliver-zhou
changed the title
Could you provide some background on the issue? Is it security or something else? |
|
For security : for those with Username == Email, we should give the developer the option to hide from the user that "Username is not found" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If for example, I'm using email addresses as the Username, I wouldn't want the system to respond that "A user with that username already exists.". It's the same problem that PASSWORD_RESET_SHOW_EMAIL_NOT_FOUND is trying to solve
Created a version controlling the response and email behavior in this situation - need to add some tests before creating a pull request.
The text was updated successfully, but these errors were encountered: