Don't expose user existence on Forgot Password endpoint #1193
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DEVTomatoCake
changed the title
DEVTomatoCake
added a commit
to DEVTomatoCake/spacebar-server
that referenced
this pull request
Aug 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR makes the server return a HTTP
204 No Contentsuccess response when requesting a password reset, regardless of the user existing or not, as long as the captcha (if enabled) was passed.While this definitively hurts the user experience, it's recommended by OWASP, and even if Big Corp does it like that, they might have other tracking measures or ratelimits to prevent brute-force attacks, or might just be vulnerable as well.
Also removes the "Account disabled/scheduled for deletion" error to prevent timing attacks and instead always sends an email. Those checks (as well as MFA verification!) should be handled after the user (and therefore the access of the user to the email account) was verified.
To my knowledge, there's no Spacebar client with a "Forgot password" button nor a server template to handle password resets.