From 42cdd16d71f69284a0a9ae5bdee498809deecd57 Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Thu, 4 Jun 2026 02:57:16 +0530
Subject: [PATCH] Prevent account enumeration via signup error messages (Issue
 #697)

Replace specific 'User already exists' error message with generic 'Username or email is invalid' message. This prevents attackers from enumerating valid email addresses and usernames in the system by observing different error messages during signup attempts.

Changes:
- Changed error message on duplicate user detection to generic message
- Changed duplicate key error message to match generic message
- Prevents account enumeration attacks that rely on error message differences

Fixes #697
---
 backend/routes/auth.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/routes/auth.js b/backend/routes/auth.js
index 7c2cda78..821a7538 100644
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -16,14 +16,14 @@ router.post("/signup", validateRequest(signupSchema), async (req, res) => {
         });
 
         if (existingUser)
-            return res.status(400).json({ message: 'User already exists' });
+            return res.status(400).json({ message: 'Username or email is invalid' });
 
         const newUser = new User({ username, email, password });
         await newUser.save();
         res.status(201).json({ message: 'User created successfully' });
     } catch (err) {
         if (err && err.code === 11000) {
-            return res.status(400).json({ message: 'User already exists' });
+            return res.status(400).json({ message: 'Username or email is invalid' });
         }
 
         res.status(500).json({ message: 'Error creating user', error: err.message });