mirror of
https://github.com/immich-app/immich.git
synced 2026-05-18 03:10:24 +03:00
fa6ce8cc00
Two distinct error messages in the OAuth callback endpoint revealed whether an email address was already registered in the database. An attacker controlling the OAuth provider's email claim could probe the user table without authentication. Both cases now return the same generic message.