Account creation / email flow confusion

[bcpierce00]

From a user: When I tried to log in with an e-mail address connected to a previous clowdr-instance, the site said it would send an e-mail to me with a link to change my password. That e-mail never came (I clicked a bunch of times). I guess it didn’t have any existing account for my e-mail address, would be nice with a warning. (I could create a new account with that e-mail address.)

[rossng]

This sounds like it might be part of the Auth0 flow, which we don't have much control over. I guess we should try to repro this to understand the behaviour here.

[EdNutting]

The Auth0 option for "use generic error message in public signup" is switched off, so if a user tries to sign up with an email that's already registered, it will tell the user.

Unfortunately, equivalent options do not exist for:

1. Attempting to Sign In with an email that isn't registered
2. Attempting to Reset Password for an email that isn't registered

Auth0 does not offer an option to tell the user "you need to sign up". This can be frustrating but is a recognised way of preventing someone (or, more likely, a bot) from ascertaining whether a given email address is registered or not.

This isn't something we should try to work around. I chatted with a friend in the field of web security and they strongly suggested that the only reasonable option would be to add an extra message to prompt people to think "oh, I haven't registered" but without explicitly revealing whether this is the case or not - i.e. same info regardless of the underlying fact.

Unfortunately, Auth0 don't offer a way to customise the associated error messages (afaict), so we're stuck for the time being.