We would like to inhibit an attacker from obtaining a list of our users. Unfortunately the signup functionality on the auth0 database connection returns a particular error code user_exists when the user already exists. This allows an attacker to identify users by attempting to signup.
We would like to suppress this error response for all situations where the signup is not allowed (e.g. because a pre-registration hook has prevented signup, or because the user already exists or etc).
This issue is known and exists in our product backlog, but unfortunately there is no confirmed ETA. If this feature is something that is important to you I would suggest your provide some feedback. This can provide context on your specific use case and can open a conversation between you and the team if they have any questions about your specific issue.
In the mean time, the workaround has been to disable the signup endpoint and use the management api with a custom UI to register your users.
Can I also express that this feature is very important to us too. Right now our user’s can be enumerated using the signup route. We have also implemented a pre user registration hook that does a reCaptcha check, but unfortunately Auth0 runs the user exist’s check before running our hook.
Thank you for reaching out with your input. The best way right now to communicate this to our product team is to submit it in our feedback form. The team looks at each feedback ticket individually, and it can help open a conversation between you and the team if they need more information or context.
As I said above, the current workaround is to disable the signup endpoint and use a custom UI to register users. This gives you control over the error messages that get passed to the user.
Thanks again for reaching out with your input, I highly recommend using the feedback link I provided above. It is the best channel of communication for this kind of request.