DEV Community: Prath The latest articles on DEV Community by Prath (@prath47). https://dev.to/prath47 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3881697%2F5f8f0e0d-49c5-4067-b758-15f183429564.jpeg DEV Community: Prath https://dev.to/prath47 en Hmm....🚨 OAuth vs Email Signup Conflict — Security or Bad UX? (Need your opinion) Prath Thu, 16 Apr 2026 15:14:27 +0000 https://dev.to/prath47/hmm-oauth-vs-email-signup-conflict-security-or-bad-ux-need-your-opinion-1df6 https://dev.to/prath47/hmm-oauth-vs-email-signup-conflict-security-or-bad-ux-need-your-opinion-1df6 <p>Hello guys, <br> This is my first post. Apologies if any mistake is there.</p> <p>So in the morning i came across this git issue on the appwrite git repo #11908.</p> <p>🧪 Scenario<br> A user signs up using Google OAuth (<a href="mailto:myemail@google.com">myemail@google.com</a>)<br> Then tries to sign up again using email/password (account.create())</p> <p>🤔 Expected Behavior<br> Appwrite should return:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"A user with the same id, email, or phone already exists in this project."</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">409</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user_already_exists"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>😕 Actual Behavior<br> Instead, it returns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"There was an error processing your request."</span><span class="p">,</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">400</span><span class="p">,</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"general_bad_request"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>🧠 What's Going On?</p> <p>In the codebase, this seems intentional:<br> “Return a generic bad request to prevent exposing existing accounts”<br> So this is clearly a security decision to avoid account enumeration.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7enigpyxpfufixqn9wzg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7enigpyxpfufixqn9wzg.png" alt=" "></a></p> <p>BUT…</p> <p>⚖️ The Inconsistency</p> <p>If a user signs up normally (email/password) and tries again →<br> Appwrite does return 409 user_already_exists</p> <p>So:</p> <p>Case Response<br> Email → Email again 409 (explicit)<br> OAuth → Email 400 (generic)</p> <p>This means:<br> 👉 Enumeration is already possible<br> 👉 But UX is bad only in OAuth cases</p> <p>💥 Why This Matters</p> <p>For real apps:</p> <p>Users get confused (“Did I already sign up?”)<br> No clear path to login instead<br> Poor first impression of auth flow</p> <p>❓ The Real Question</p> <p>What should be the correct behavior here?</p> <p>Option A — Security First 🔒<br> Always return generic errors (400)<br> ➡️ Prevents enumeration, but hurts UX</p> <p>Option B — Consistency + UX 👍<br> Always return 409 user_already_exists<br> ➡️ Better UX, but leaks account existence</p> <p>Option C — Smarter Approach 🧠<br> Return 409<br> BUT guide user: “Try logging in with Google”<br> Or auto-link identities<br> 💬 I’d Love Your Thoughts<br> How do you handle this in your apps?<br> Is account enumeration still a real concern here?<br> Should OAuth + email accounts be auto-linked?</p> <p>Let’s discuss 👇</p> webdev github appwritehack opensource