Is there an existing issue for this?

• I have searched the existing issues

What happened?

Issue Summary

Critical security vulnerability in the user signup process that allows email enumeration and potential account lockouts.

Location

Frontend/src/pages/Signup.tsx (lines 44-50)

Bug Description

The signup form attempts to check if a user already exists by making an authentication request with a dummy password:

// Check if user already exists
const { data: existingUser } = await supabase.auth.signInWithPassword({
  email,
  password: "dummy-password-to-check-existence",
});

Why This Is a Problem

🔒 Security Issues

• Email Enumeration: Attackers can determine which email addresses are registered
• Account Lockouts: Multiple failed login attempts may trigger security measures
• Information Disclosure: Reveals user existence without proper authorization

🚫 Wrong Approach

• Using authentication endpoints for existence checks
• Hardcoded dummy passwords in code
• No rate limiting on existence checks

Expected Behavior

User existence should be checked through:

• Dedicated API endpoints
• Admin-level operations
• Proper authorization checks

Impact

• Severity: High
• Affects: All new user registrations
• Risk: Information disclosure and potential DoS

Suggested Fix

Replace the current check with proper Supabase admin API or dedicated endpoint:

// Option 1: Handle during signup process
const { data, error } = await supabase.auth.signUp({
  email,
  password,
  options: { data: { name } },
});

if (error?.message?.includes('already registered')) {
  setError("An account with this email already exists. Please sign in instead.");
  return;
}

Priority

High - Should be fixed before production deployment.

Record

• I agree to follow this project's Code of Conduct
• I want to work on this issue