Sign up functionality
Hi, I just did a brand new wasp install with the saas template. I'm just wondering if this is normal functionality or a bug.
After signing up and verifying the link from the cmd. I am able to sign up again with the same email. Is this correct or should it say this user already exists? or would that be security issue because people can check if the account exist? Just seeing if anyone knows.
2 Replies
Hi @theworldisyours. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
This is expected behavior in Wasp’s email auth and not a bug.
By default, Wasp’s signup flow is designed to avoid leaking whether an email is already registered:
- If someone tries to sign up with an email that already exists and is verified, Wasp pretends the account was created successfully, instead of saying it already exists. This is specifically to prevent attackers from probing which emails have accounts. [Email signup]
- There is also logic around unverified emails and rate limiting, but the key part relevant to your question is that Wasp intentionally does not return “this user already exists” for existing verified emails. [Email signup]
So: yes, being able to “sign up again” with the same verified email (without getting an “already exists” message) is the intended, security‑conscious behavior in Wasp’s auth system.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @theworldisyours, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?
The bot is right 🙂 let us know if you need any more help