Registration has a non-atomic failure mode — user lockout risk #12

New issue

Open

opened 2026-02-27 21:18:31 -05:00 by toph · 0 comments

toph commented 2026-02-27 21:18:31 -05:00

Owner

Copy link

src/lib/remote/auth.remote.ts:99-109

Creates user with random UUID password, then calls requestOTP.
If OTP delivery fails, the account exists but user has no way in.
Retrying register fails with "email already exists.
Fix: delete the user if OTP fails, or catch "already exists" and fall through to requestOTP

src/lib/remote/auth.remote.ts:99-109 Creates user with random UUID password, then calls requestOTP. If OTP delivery fails, the account exists but user has no way in. Retrying register fails with "email already exists. Fix: delete the user if OTP fails, or catch "already exists" and fall through to requestOTP

toph added the

bug

label 2026-02-27 21:18:31 -05:00

cesar was assigned by toph 2026-02-27 21:18:31 -05:00

Sign in to join this conversation.

auth

Branches Tags

Clear current reference

main

summoners-n-champs

Clear current reference

No results found.

Labels

Clear labels   

???

More information is needed

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

No labels

???

bug

duplicate

enhancement

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

cesar

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

toph/spellbinder#12

No description provided.