fix(sign-up): implement email notification for existing accounts during signup

[victorvhs017]

Context

The sign-up page is vulnerable to user enumeration. It returns an error if the user already exists and redirects to the validation code screen if they don’t.

To fix this, we send the users to the same screen, but we send a different email if the user already exists.

Screenshots

This is the new email:

This is the updated validation code page:

Steps to verify the change

Try to sign-up with an existing user and with a new user.

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR addresses a user enumeration vulnerability in the sign-up flow. Previously, attempting to sign up with an existing email returned an error, allowing attackers to enumerate valid user accounts. The fix sends users to the same verification code screen regardless of whether their account exists, with a different email sent for existing accounts.

Key Changes:

• Removed error throw for existing accepted users in beginEmailSignupProcess
• Added new SignupExistingAccount email template to inform existing users about signup attempts
• Updated frontend to include login link on verification code page
• Maintained user experience while preventing enumeration

Issues Found:

• Timing attack vulnerability remains: existing accounts complete faster (1 email send) than new accounts (db insert + token creation + email send), potentially leaking account existence
• Password reset URL might not match user expectations (/verify-email vs /password-reset)

Verification Needed:

• Test timing differences between existing and new user signup flows
• Verify /verify-email is the intended password reset endpoint

Confidence Score: 3/5

• This PR significantly improves security but has a remaining timing attack vulnerability that could still leak user enumeration information
• The PR successfully addresses the direct user enumeration vulnerability by removing the error message, but introduces a timing-based side channel. The existing user path (database lookup + email send + return) executes faster than the new user path (database lookup + database insert + token creation + email send). An attacker could measure response times to determine if an account exists. Score reflects good security improvement with one critical remaining issue.
• backend/src/services/auth/auth-signup-service.ts requires attention to address timing attack vulnerability

Important Files Changed

Filename	Overview
backend/src/services/auth/auth-signup-service.ts	Fixed user enumeration vulnerability by sending informational email to existing accounts instead of throwing error. Potential timing attack remains.
backend/src/services/smtp/emails/SignupExistingAccountTemplate.tsx	Added new email template to inform existing users about signup attempts. Template is well-structured and secure.
backend/src/services/smtp/emails/index.ts	Exported new SignupExistingAccountTemplate for use in SMTP service.
backend/src/services/smtp/smtp-service.ts	Added SignupExistingAccount template enum and mapping for email notifications.
frontend/src/components/auth/CodeInputStep.tsx	Added helpful link to login page for users who might have an existing account.

[greptile-apps]

_{5 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[scott-ray-wilson]

LGTM, verified with both an existing user and new user