Clever Geek Handbook

HTTP status code for username already exists when registering a new account

Client sends the following to POST /account/register 

{
  "username": "user123",
  "password": "pa55w0rd"
}

The server tries to create a new account, but finds that the username has already been met.

What should be the most appropriate HTTP status code response?

I guess 409 Conflict

but this means the client knows the username exists, what could be a security issue? Or is it just a case of visibility based on the type of site so it depends on the situation?

+5


source to share


3 answers


I would suggest returning the error 409 Conflict

:



The request could not be completed due to a conflict with the current state of the resource. This code is only permitted in situations where the user is expected to be able to resolve the conflict and resubmit the request.

+2


source


It seems not. Maybe 406 is invalid? http://en.wikipedia.org/wiki/List_of_HTTP_status_codes



0


source


If you are concerned about privacy , whether an account was created or not, be sure to answer the same , and probably 204 or 202 is the most appropriate status code in this case.
In order not to mislead the user in the front-end, you can display a generic message that says something like: "Within the next minutes, you will receive a confirmation email if you do not have an account, if you did not receive an email, please try forget password ".
Depending on how far you want to go, you can create an account in a background process and not in the main thread / request, otherwiseAttackers can analyze the response time of your endpoint and determine if an account was created or not in terms of response time, this is because the account creation process can take longer than just checking for availability and returning.

Answering the same in both scenarios is the only way to make sure that an attacker cannot determine who is already logged into your system.

0


source






More articles:


All Articles