"Invalid email address" when account already exists

[rolodato]

How are you running Flagsmith

• Self Hosted with Docker
• Self Hosted with Kubernetes
• SaaS at flagsmith.com
• Some other way (add details in description below)

Describe the bug

In #1089, the signup logic was changed to return "Invalid email address" when trying to sign up a new account with an existing email address. This is a bug.

Steps To Reproduce

1. Sign up to Flagsmith
2. Try to sign up with the same email address again
3. Error message is "Invalid email address"

Expected behavior

The error message should state that the account already exists, and maybe suggest that the user logs in instead. Trying to obfuscate this message is mostly security theatre and does not provide any real security benefit.

One alternative could be to allow the signup flow to continue if the account already exists, showing a message like "Check your email to proceed with signup". We could send an email to the user in this case saying that someone tried to sign up with their email, and suggest they log in instead. If their email does not already exist, send them a confirmation email. Note that Flagsmith does not currently send confirmation emails.

Screenshots

No response

[utkarsh-1905]

Hey, if you haven't solved this, can I take this up? I am looking to contribute to flagsmith, and this can be a good issue to start with

[dabeeeenster]

Sure! Will assign!

[dabeeeenster]

I prefer the "alternative" so we don't leak information here.

[utkarsh-1905]

Yup, the alternative looks a better way to me too from a user point of view, will start working on it, thanks

[rolodato]

I've clarified this now in the original issue - please note that Flagsmith does not currently send confirmation emails, so that approach will take a lot more work.

My opinion would be to go with the first approach for now. Being an open source project it doesn't make much sense to obfuscate the message - it's trivial to see that trying to sign up with a valid email and receiving "Invalid email address" means that the email is already registered, i.e. we're leaking the information anyway, just in a way that is confusing to customers. Later on we can implement the second approach.

[utkarsh-1905]

understood

[utkarsh-1905]

Hey guys, to be on the same page, this is the exact error right?

Took me very long to setup the project, will be raising an issue to improve the contributing.md 🚀

[utkarsh-1905]

Is this error message okay? or something else?

[dabeeeenster]

Can we have Email already exists. Please Login.

[utkarsh-1905]

okay done

[rolodato]

Sorry for nitpicking - this should be Email already exists. Please log in., since "login" is not a verb or a proper noun.

[utkarsh-1905]

opened a pr #3924 , ignore 21aa6c9 (irrelevant), i pushed it by mistake on my fork