Avoid user harvest

[NhielSalvana]

Signup/Forgot should not redirect to verify on success, and should just return a message like "we sent you a confirmation email please check your inbox", regardless of the status of the action, except for maybe internal server errors. This is to avoid malicious people from harvesting user emails.

Also, if the user already exists, a forgot password should be sent instead of a signup verification email.
And if the user does not exist in a forgot password route, it should also send a signup verifcation email instead of a forgot password link.

I can put up a PR if you guys agree, (it's gonna be my first time on anything open source though, so please bear with me).

[kentcdodds]

You're totally right. What I would prefer is that it still redirects exactly as it does now, except instead of sending the user through the sign up flow, it opaquely sends them through the login flow. Otherwise someone who forgot they already have an account may be confused why they're not getting an email. So it should look like they're signing up in the app, but once they enter the code or click the link, it just logs them in instead of sending them to the onboarding.

[NhielSalvana]

Oh yeah, i also mentioned that case (signup but user exists) in my proposal, although you might not have seen it since I edited it.

the server will still send an email, but something that contains "you already have an existing account, try logging in, if you forgot your password, you can reset it here".

but yeah i agree, redirecting seems to be the better ux.