Login page should not show if a user was found or not #1524

[lukevella]

Original issue: #1524

When a user tries to login with an email that does not have a registered account, we respond with an error saying that a user does not exist with this email. This allows malicious users to discover which users have a registered account which is a valid security concern. We can avoid exposing this information by proceeding to the verification page and instead mention that a verification code will be sent "if" a user has a registered account with that email.

Additionally, we will need to update the registration flow to not expose when an account already exists and instead send a login email.

[princesinghrajput]

Hi @lukevella,

I’ve worked on fixing the authentication flow to enhance security by preventing email enumeration during authentication processes.

Could you review the PR when you get a chance?

Here’s the updated flow: https://github.com/user-attachments/assets/c736c4bb-8f5b-4ed0-ba4d-f4bba3b0eedc

Thanks!

[khalidkhankakar]

Can I work on this issue. Please Assign it to me.

[satonotdead]

@princesinghrajput just pinging about this issue, it seems the community and project are improving faster 🔥

[felixmanus]

I am not able to sign up as a user while running the app on my local. I am not receiving any code. I guess it's because of the local environment. In any case, I can't login/signup. Any help?

[satonotdead]

I am not able to sign up as a user while running the app on my local. I am not receiving any code. I guess it's because of the local environment. In any case, I can't login/signup. Any help?

You should search and/or open a new issue but it seems to be related to your SMTP configurations. You need them prior to use this software.

Read this: https://support.rallly.co/self-hosting/docker-compose#3-configure-your-smtp-server