> Yes, but signing up is a more cumbersome process and usually has a CAPTCHA attached to it, unlike logging in.
My guess of what is most common is that the actual trying to create a user in the backend/database is protected by a captcha, but checking if the email/username already exists is a separate endpoint that the frontend hits while filling out the signup form, before trying to create the actual user.
But it's just a guess, and I can already think of many examples where that doesn't happen, which is for good reasons.
> but checking if the email/username already exists is a separate endpoint that the frontend hits
I'm sure this happens in some cases, but it's definitely not a good practice, would hopefully get flagged by any pentesting or security audit, and also, most people use some sort of framework for auth (devise for Rails, Spring Security for JVM, or similar) - and those usually don't work in that way.
My guess of what is most common is that the actual trying to create a user in the backend/database is protected by a captcha, but checking if the email/username already exists is a separate endpoint that the frontend hits while filling out the signup form, before trying to create the actual user.
But it's just a guess, and I can already think of many examples where that doesn't happen, which is for good reasons.