In the codebase, this seems intentional:
"Return a generic bad request to prevent exposing existing accounts"
So this is clearly a security decision to avoid account enumeration.
BUT...
βοΈ The Inconsistency
If a user signs up normally (email/password) and tries again β
Appwrite does return 409 user_already_exists
So:
Case Response
Email β Email again 409 (explicit)
OAuth β Email 400 (generic)
This means:
π Enumeration is already possible
π But UX is bad only in OAuth cases
π₯ Why This Matters
For real apps:
Users get confused ("Did I already sign up?")
No clear path to login instead
Poor first impression of auth flow
β The Real Question
What should be the correct behavior here?
Option A β Security First π
Always return generic errors (400)
β‘οΈ Prevents enumeration, but hurts UX
Option B β Consistency + UX π
Always return 409 user_already_exists
β‘οΈ Better UX, but leaks account existence
Option C β Smarter Approach π§
Return 409
BUT guide user: "Try logging in with Google"
Or auto-link identities
π¬ Iβd Love Your Thoughts
How do you handle this in your apps?
Is account enumeration still a real concern here?
Should OAuth + email accounts be auto-linked?
Letβs discuss π