Hello guys,
This is my first post. Apologies if any mistake is there.
So in the morning i came across this git issue on the appwrite git repo #11908.
🧪 Scenario
A user signs up using Google OAuth (myemail@google.com)
Then tries to sign up again using email/password (account.create())
🤔 Expected Behavior
Appwrite should return:
{
"message": "A user with the same id, email, or phone already exists in this project.",
"code": 409,
"type": "user_already_exists"
}
😕 Actual Behavior
Instead, it returns:
{
"message": "There was an error processing your request.",
"code": 400,
"type": "general_bad_request"
}
🧠 What's Going On?
In the codebase, this seems intentional:
“Return a generic bad request to prevent exposing existing accounts”
So this is clearly a security decision to avoid account enumeration.
BUT…
⚖️ The Inconsistency
If a user signs up normally (email/password) and tries again →
Appwrite does return 409 user_already_exists
So:
Case Response
Email → Email again 409 (explicit)
OAuth → Email 400 (generic)
This means:
👉 Enumeration is already possible
👉 But UX is bad only in OAuth cases
💥 Why This Matters
For real apps:
Users get confused (“Did I already sign up?”)
No clear path to login instead
Poor first impression of auth flow
❓ The Real Question
What should be the correct behavior here?
Option A — Security First 🔒
Always return generic errors (400)
➡️ Prevents enumeration, but hurts UX
Option B — Consistency + UX 👍
Always return 409 user_already_exists
➡️ Better UX, but leaks account existence
Option C — Smarter Approach 🧠
Return 409
BUT guide user: “Try logging in with Google”
Or auto-link identities
💬 I’d Love Your Thoughts
How do you handle this in your apps?
Is account enumeration still a real concern here?
Should OAuth + email accounts be auto-linked?
Let’s discuss 👇
