preventUserEnumeration(true) behaviour

[andrewhawkes]

I just discovered the preventUserEnumeration setting only seems to affect the “forgot password” flow.

I've not posted this as an issue because I'm not sure what the desired/correct outcome is.

From what I understand, the whole point of this is to avoid being able to easily find out if a username/email address is valid/in use.

So I'm wondering if this setting should also impact user registrations.
I guess from a UX perspective this could be negative if you are already a user and you've forgotten and you sign up again etc.

But if someone did attempt to sign up, could you potentially show a success message as with the forgot password flow.
The data from that submission could be disregarded and email could be sent to the user reminding them they have an account already and to reset their password?

[angrybrad]

For new user registrations, it seems like it’d be an awkward workflow (and generate extra support) to pretend like the form was submitted, but it silently failed. I can’t think of any site I’ve ever registered at that has that behavior.

A better solution (IMO) would be the same as #10565 - where we have a native way to “rate limit” new user registrations, helping to mitigate user enumeration like we do with login attempts.

https://craftcms.com/docs/4.x/config/general.html#maxinvalidlogins

https://craftcms.com/docs/4.x/config/general.html#invalidloginwindowduration

https://craftcms.com/docs/4.x/config/general.html#cooldownduration

[andrewhawkes]

Yeah, I think you are right, and I was generally just curious.

I just thought I'd ask, as we had someone external testing one of our sites, and they mentioned it, which got me thinking.

I think the rate limiting is probably a good idea.

[angrybrad]

@andrewhawkes no worries at all - going to leave this open as a reference for when we get around to adding rate limiting to more things.