- Valid email + valid password =
login success
- Valid email + invalid password =
incorrect details
error - Unregistered email + some password =
incorrect details
error
(The tricky part where the magic happens)
- Used already registered email = telling the user
an email confirmation has been sent
- but no email is sent - Used a new email = telling the user
an email confirmation has been sent
- and really send it
- Enter registered email =
if you have an account an email has been sent to you
- Enter incorrect email =
if you have an account an email has been sent to you
- Also every route should be rate limited globally regardless if it's an email sent or not, or a new IP, read more on how to do it on the next bullet points
- Avoid allowing others send confirmation emails to others in a spammy way - a global rate limit for the email itself and not the IP should exist
- Avoid allowing others to attempt to login too many times from the same IP and to the same user (two different rate limits) - This way if the attacker switches IP the account username/email itself is still under rate limit
- Used an already registered email =
email already in use error
❌ - Used a new email =
sent email confirmation
People always say that a way for someone to generate a user list on your app is a big security vulnerability.
Yet some websites let you enter a email associated with an account, and it will take you to the password page if the email is registered, if the email is not registered it will take you to a sign-up page.
Why is this happening? And how can this be solved?
Usually developers are not security experts, and when they implement login pages they often contain common vulnerabilities
exposing them vulnerabilities is not a good idea in my opinion tho fyi
I agree with the saying that the login, forgot pass and register pages shouldn't tell people if there is already an account going by this username.
But when you really think about it how can one register to a website without knowing if his email is already taken or not in order to register?
Should the login just say something went wrong when an email that is already in use - is used?
Those are good questions
Implementing rate limits on the login can help to kind of solve the problem, or at least, delay it, but not to truly eliminate it.
This is why this gist exists, to help you conquer this problem and eat it for breakfast 😎