Hi all, I have an issue where I would like to change the error message that is shown to a user that is trying to sign up with an email address that already exists. Currently I get the generic error message “WE’RE SORRY, SOMETHING WENT WRONG WHEN ATTEMPTING TO SIGN UP.”
When I check the dev console logs, I see a POST error 400 with the following content: {"name":"BadRequestError","code":"invalid_signup","description":"Invalid sign up","statusCode":400}
I dug a bit deeper and found this documentation where it says what the invalid_signup error means, but does not say much. This is what it says: “The user your are attempting to sign up is invalid”.
Furthermore, I checked the logs on my dashboard and saw the following there when a user tries to sign up with an email that already exists:
My question is, why is the text in the Description field in the screenshot above not used as the error message on the Auth0 signup page? Could there be a misconfiguration in the settings for my application on the dashboard?
The behavior of displaying the same message regardless of whether there is already a user associated with an email address or username is by design.
To return a message indicating that the email address or user already exists would expose the application to user enumeration. User enumeration allows potentially malicious third-parties to learn the usernames and/or email addresses of legitimate users, which the third party can then use to attempt to gain access to user accounts through guessing passwords, brute force attacks, or matching usernames to a list of passwords leaked from other services.
Please see here for some additional information on OWASP recommendations regarding user enumeration.
Hi Kris. You make a very good point, which is also one that I forgot about since I started using Auth0. I guess the reason for me forgetting about this is because since I started using Auth0, I have not built custom sign up and login processes in a while. If I did build a custom sign up process, I would’ve definitely had your argument with myself and I would also not mention to the user/bot that the user already exists