We want to prevent the possibility of a malicious actor enumerating existing users via the sign-up form / API.
Currently, if a user tries to sign up with an email that already is in our system, they get an error. If they try to sign up with an email not in our system, they succeed. Therefore user enumeration is possible (regardless of whether the error specifically mentions that the user exists or not).
We’d like the sign-up form to display a success message stating that a verification email has been sent, regardless of whether the user already exists or not. We’re still beginning to find out how to achieve that.
Is this something that could be achieved with the use of hooks? Or is there another solution?