Mitigate the risk of information leakage through sign-up forms #507
Description
When you use an email that has already been used by another user you get a message like this:
That allows users to easily check is a user with a given email is registered. Although this is very common behavior in a lot of online services, for example, LinkedIn:
I think we should try to mitigate it.
Proposal 1
Add a captcha and/or a rate limit (IP) to the registration form to at least make it harder to automatize checking a list of emails.
Proposal 2
- Make the email always optional in the sign-up form.
- Remove configuration option
email_on_signup. The email would be always optional. - Allow email duplicates. You can sign up with somebody else's email.
- The application does nothing with the user's email unless is validated. This should be always the case. For example, to reset passwords, send notifications, etc. For the time being, the email is only verified when
email_verification_enabledoption is enabled. The user's email is not used for anything else.
# ...
[auth]
email_on_signup = "Optional"
# ...
[mail]
email_verification_enabled = false
from = "[email protected]"
reply_to = "[email protected]"
username = ""
password = ""
server = ""
port = 25
# ...Both proposals are compatible.
cc @torrust/torrustaceans