Users cannot be enumerated using the login, but using the signup. The author then argues that they should add the user enumeration function to the login.
This is similar to: The door is locked, but the window is open. And then consequently it makes no sense to close the door at all, as an attacker can sneak through the window.
Instead, the window should be locked as well, i.e., it should be impossible to enumerate users with the signup function.
Users cannot be enumerated using the login, but using the signup. The author then argues that they should add the user enumeration function to the login.
This is similar to: The door is locked, but the window is open. And then consequently it makes no sense to close the door at all, as an attacker can sneak through the window.
Instead, the window should be locked as well, i.e., it should be impossible to enumerate users with the signup function.