Prevent account enumeration via signup error messages (Issue #697)

[anshul23102]

Summary

Replace specific 'User already exists' error message with generic 'Username or email is invalid' message. This prevents attackers from enumerating valid email addresses and usernames in the system by observing different error messages during signup attempts.

Changes

• Changed error message on duplicate user detection to generic message
• Changed duplicate key error message to match generic message
• Prevents account enumeration attacks that rely on error message differences

Testing

1. Attempt to sign up with an existing email address
2. Verify response returns generic error message
3. Attempt to sign up with an existing username
4. Verify response returns same generic error message as email
5. Verify no difference in error messages between existing vs non-existing users

Type of Change

• Security fix

Contributor Declaration

This contribution is original work and I have the right to contribute this code to the project. I understand that the project is licensed under its respective license and my contributions will be available under the same license terms.

Closes #697

Summary by CodeRabbit

• Bug Fixes
  • Updated the error message displayed when attempting to sign up with a duplicate username or email address.

[netlify]

✅ Deploy Preview for github-spy ready!

Name	Link
🔨 Latest commit	42cdd16
🔍 Latest deploy log	https://app.netlify.com/projects/github-spy/deploys/6a209cf7818d2a0008bdb7f5
😎 Deploy Preview	https://deploy-preview-702--github-spy.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

The signup endpoint's duplicate user detection now returns a generic error message instead of revealing whether a username or email is already registered. This prevents attackers from enumerating valid email addresses via the signup form.

Changes

Account enumeration prevention

Layer / File(s)	Summary
Signup duplicate user error message backend/routes/auth.js	Error message for duplicate users is changed from "User already exists" to "Username or email is invalid" in both the pre-save existence check and the MongoDB duplicate-key error catch, eliminating information leakage that enables email enumeration.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• GitMetricsLab/github_tracker#252: Directly overlaps with this PR as both modify the /signup duplicate-user error handling in backend/routes/auth.js.

Suggested labels

type:security, type:bug, quality:clean

Poem

🐰 A message once sang "User exists, hooray!"
But attackers could guess who'd signed up that day.
Now generic replies keep the truth tucked away,
So account hunters can't enumerate—hip hip hooray!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR addresses the core enumeration vulnerability by using a generic error message, but does not implement rate limiting as recommended in Issue #697.	Implement rate limiting on the signup endpoint (e.g., express-rate-limit with 5 requests per 15 minutes) as specified in the linked issue to fully mitigate enumeration attacks.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the primary change: modifying signup error messages to prevent account enumeration, directly addressing Issue #697.
Description check	✅ Passed	The description covers the key aspects with summary, changes, testing steps, type of change, and contributor declaration, though the generic message differs slightly from the recommended solution.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the account enumeration vulnerability described in Issue #697; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

backend/routes/auth.js (1)

24-30: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove raw internal error leakage from signup responses.

At Line 29, returning error: err.message exposes backend internals in a public auth endpoint. This conflicts with the enumeration-hardening goal and can leak DB/runtime details. Return a generic message only, and log err.message server-side instead.

Suggested patch

-        res.status(500).json({ message: 'Error creating user', error: err.message });
+        // Log detailed error internally only
+        console.error('Signup error:', err);
+        res.status(500).json({ message: 'Signup failed. Please try again or contact support.' });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/routes/auth.js` around lines 24 - 30, The catch block in the signup
route currently returns raw internal error details (err.message) to clients;
instead log the full error server-side and return only a generic message. Update
the catch in backend/routes/auth.js so that when not handling the duplicate-key
(err.code === 11000) case you call your server logger (e.g., console.error or
the app logger) with the err object (for example: log "Error creating user" and
err) and then send res.status(500).json({ message: 'Error creating user' })
without including err.message or any error field.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@backend/routes/auth.js`:
- Line 19: Update the signup tests to match the new sanitized error message
returned by the signup handler: where the spec (auth.routes.spec.cjs) asserts
the old "User already exists" message, change those expectations to the new
"Username or email is invalid" string to match the res.status(400).json response
in the signup route handler in auth.js (the POST /signup / signup handler that
returns the sanitized error at the two call sites). Ensure both assertions that
expect the old message are updated so tests validate the new contract.

---

Outside diff comments:
In `@backend/routes/auth.js`:
- Around line 24-30: The catch block in the signup route currently returns raw
internal error details (err.message) to clients; instead log the full error
server-side and return only a generic message. Update the catch in
backend/routes/auth.js so that when not handling the duplicate-key (err.code ===
11000) case you call your server logger (e.g., console.error or the app logger)
with the err object (for example: log "Error creating user" and err) and then
send res.status(500).json({ message: 'Error creating user' }) without including
err.message or any error field.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ae31b052-c94f-430e-a36e-a21c98cca596

📥 Commits

Reviewing files that changed from the base of the PR and between 53f820b and 42cdd16.

📒 Files selected for processing (1)

• backend/routes/auth.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update downstream signup spec to match the new sanitized message contract.

The response contract changed at Line 19 and Line 26, but spec/auth.routes.spec.cjs (lines 71-88 in provided context) still expects "User already exists". This will cause test failures and leaves validation of the new security behavior incomplete.

Also applies to: 26-26

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@backend/routes/auth.js` at line 19, Update the signup tests to match the new
sanitized error message returned by the signup handler: where the spec
(auth.routes.spec.cjs) asserts the old "User already exists" message, change
those expectations to the new "Username or email is invalid" string to match the
res.status(400).json response in the signup route handler in auth.js (the POST
/signup / signup handler that returns the sanitized error at the two call
sites). Ensure both assertions that expect the old message are updated so tests
validate the new contract.

[anshul23102]

Could the maintainers please add relevant labels to this PR? Suggested labels:

• gssoc:approved
• type:security
• severity:high
• area:security

This would help with issue tracking and organization. Thank you!