Wasp•3mo ago

Remove ability to sign up with email that already is tied to an account

I am using the open saas template. After i create an account with a certain email, and then try making another account with the same email, it says that it was succesful. how do I fix this

6 Replies

kapa.ai•3mo ago

Hi @jit. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- By default, Wasp’s email signup flow is designed to prevent leaking whether an email is already registered. If someone tries to sign up with an email that already exists and is verified, Wasp pretends the account was created, rather than revealing that the email is already in use. This is a deliberate security feature to prevent attackers from discovering which emails are registered in your app. If the email exists but is unverified, Wasp allows registration to prevent bad actors from locking out legitimate users from registering with their own email address Docs: Email Signup. If you want to change this behavior and block signups with any email that already exists (regardless of verification status), you will need to implement a custom signup action. In your custom signup logic, you can check if the email already exists and return an error if it does, instead of pretending the signup was successful. Here’s a starting point for a custom signup action in Wasp (TypeScript example):

import {
  ensurePasswordIsPresent,
  ensureValidPassword,
  ensureValidEmail,
  createProviderId,
  findAuthIdentity,
  HttpError,
  // ...other imports
} from 'wasp/server/auth'
import type { CustomSignup } from 'wasp/server/operations'

type CustomSignupInput = {
  email: string
  password: string
}
type CustomSignupOutput = {
  success: boolean
  message: string
}

export const signup: CustomSignup<CustomSignupInput, CustomSignupOutput> = async (args, _context) => {
  ensureValidEmail(args)
  ensurePasswordIsPresent(args)
  ensureValidPassword(args)

  const providerId = createProviderId('email', args.email)
  const existingAuthIdentity = await findAuthIdentity(providerId)
if (existingAuthIdentity) {
    // Block signup if email already exists, regardless of verification status
    throw new HttpError(400, "This email address is already in use.")
  }

  // ...proceed with user creation as usual
}

import {
  ensurePasswordIsPresent,
  ensureValidPassword,
  ensureValidEmail,
  createProviderId,
  findAuthIdentity,
  HttpError,
  // ...other imports
} from 'wasp/server/auth'
import type { CustomSignup } from 'wasp/server/operations'

type CustomSignupInput = {
  email: string
  password: string
}
type CustomSignupOutput = {
  success: boolean
  message: string
}

export const signup: CustomSignup<CustomSignupInput, CustomSignupOutput> = async (args, _context) => {
  ensureValidEmail(args)
  ensurePasswordIsPresent(args)
  ensureValidPassword(args)

  const providerId = createProviderId('email', args.email)
  const existingAuthIdentity = await findAuthIdentity(providerId)
if (existingAuthIdentity) {
    // Block signup if email already exists, regardless of verification status
    throw new HttpError(400, "This email address is already in use.")
  }

  // ...proceed with user creation as usual
}

You can further customize the error handling and messaging as needed. For more details on customizing the signup flow, see the official docs Customizing the Auth Flow and Creating a Custom Sign-up Action. Note: This change will reveal to users whether an email is already registered, which may have security/privacy implications. Consider if this is appropriate for your application. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @jit, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?

jitOP•3mo ago

ohh its intentional then nevermind thank you mr ai

toticozeni•3mo ago

Security 😉 . We have few fun perks because of it. Intentional wait times, usernames are not case-sensitive, etc.

jitOP•3mo ago

is that outlined in the docs or somewhere else? im curious to find out more @toticozeni

toticozeni•3mo ago

We don't really mention everything we do in the docs. Sometimes part of it is mentioned in the related sections. Mostly because we need to explain our actions. One way to learn would be to read the source code, but that may not be the most readable currently due to mustache templates. Btw to get access to rest of the server you can send a message in #👋introductions, after that the bot takes off your Guest role.

jitOP•3mo ago

👍

Gaming

Programming

Remove ability to sign up with email that already is tied to an account

Did you find this page helpful?