Privacy clarification for "check whether someone you know has an account"

[Cainor]

Dear Team,

Thank you for your support.
I'm currently testing this library, and wanted to express my gratitude for you in help improving the security of Django.

I read in the README that this supports a privacy feature. This part:

🔒 Private
Many sites leak information. For example, on many sites you can check whether someone you know has an account by input their email address into the password forgotten form, or trying to signup with it. We offer account enumeration prevention, making it impossible to tell whether or not somebody already has an account.

When I tried to sign up with the same username and email I got this two messages:

Shouldn't this be a generic message to not indicate that this email or username exists. I did not change any settings, this was all default configurations.

Thank you again for your efforts.

[pennersr]

The default email verification setting is set to "optional". Meaning, the signup is supposed to go through even without verifying the email. In that case, you can only properly prevent user enumeration if you allow for multiple users signing up all with the same email. Given that this is normally considered non-standard behavior (signing up repeatedly with the same email), by default allauth does not do so, but you can configure it to using ACCOUNT_PREVENT_ENUMERATION="strict".

[pennersr]

FWIW, it is recommended to use ACCOUNT_EMAIL_VERIFICATION = "mandatory" in order to prevent user enumeration.