Login page should not show if a user was found or not #1524

[lukevella]

Original issue: #1524

When a user tries to login with an email that does not have a registered account, we respond with an error saying that a user does not exist with this email. This allows malicious users to discover which users have a registered account which is a valid security concern. We can avoid exposing this information by proceeding to the verification page and instead mention that a verification code will be sent "if" a user has a registered account with that email.

Additionally, we will need to update the registration flow to not expose when an account already exists and instead send a login email.

[princesinghrajput]

Hi @lukevella,

I’ve worked on fixing the authentication flow to enhance security by preventing email enumeration during authentication processes.

Could you review the PR when you get a chance?

Here’s the updated flow: https://github.com/user-attachments/assets/c736c4bb-8f5b-4ed0-ba4d-f4bba3b0eedc

Thanks!

[khalidkhankakar]

Can I work on this issue. Please Assign it to me.

[satonotdead]

@princesinghrajput just pinging about this issue, it seems the community and project are improving faster 🔥