Hello guys,
This is my first post. Apologies if any mistake is there.
So in the morning i came across this git issue on the appwrite git repo #11908.
π§ͺ Scenario
A user signs up using Google OAuth (myemail@google.com)
Then tries to sign up again using email/password (account.create())
π€ Expected Behavior
Appwrite should return:
{
"message": "A user with the same id, email, or phone already exists in this project.",
"code": 409,
"type": "user_already_exists"
}
π Actual Behavior
Instead, it returns:
{
"message": "There was an error processing your request.",
"code": 400,
"type": "general_bad_request"
}
π§ What's Going On?
In the codebase, this seems intentional:
βReturn a generic bad request to prevent exposing existing accountsβ
So this is clearly a security decision to avoid account enumeration.
BUTβ¦
βοΈ The Inconsistency
If a user signs up normally (email/password) and tries again β
Appwrite does return 409 user_already_exists
So:
Case Response
Email β Email again 409 (explicit)
OAuth β Email 400 (generic)
This means:
π Enumeration is already possible
π But UX is bad only in OAuth cases
π₯ Why This Matters
For real apps:
Users get confused (βDid I already sign up?β)
No clear path to login instead
Poor first impression of auth flow
β The Real Question
What should be the correct behavior here?
Option A β Security First π
Always return generic errors (400)
β‘οΈ Prevents enumeration, but hurts UX
Option B β Consistency + UX π
Always return 409 user_already_exists
β‘οΈ Better UX, but leaks account existence
Option C β Smarter Approach π§
Return 409
BUT guide user: βTry logging in with Googleβ
Or auto-link identities
π¬ Iβd Love Your Thoughts
How do you handle this in your apps?
Is account enumeration still a real concern here?
Should OAuth + email accounts be auto-linked?
Letβs discuss π
Top comments (0)