Prevent account enumeration via signup error messages (Issue #697)

Replace specific 'User already exists' error message with generic 'Username or email is invalid' message. This prevents attackers from enumerating valid email addresses and usernames in the system by observing different error messages during signup attempts.

Changes:
- Changed error message on duplicate user detection to generic message
- Changed duplicate key error message to match generic message
- Prevents account enumeration attacks that rely on error message differences

Fixes #697

Author: anshul23102

backend/routes/auth.js

@@ -16,14 +16,14 @@ router.post("/signup", validateRequest(signupSchema), async (req, res) => {
         });
 
         if (existingUser)
-            return res.status(400).json({ message: 'User already exists' });
+            return res.status(400).json({ message: 'Username or email is invalid' });
 
         const newUser = new User({ username, email, password });
         await newUser.save();
         res.status(201).json({ message: 'User created successfully' });
     } catch (err) {
         if (err && err.code === 11000) {
-            return res.status(400).json({ message: 'User already exists' });
+            return res.status(400).json({ message: 'Username or email is invalid' });
         }
 
         res.status(500).json({ message: 'Error creating user', error: err.message });