Lost password existing account disclosure
Closed this issue · 4 comments
UndefinedOffset commented
Should the api/auth/lostPassword?email=***
endpoint return anything other than a generic response i.e {"email":true}
rather than what it currently does which is two different responses one if the account exists and one if it does not? It would probably be better for security if it returned a generic response much like /Security/lostpassword
does.
UndefinedOffset commented
I have a proposed fix in the Webbuilders Group fork if you agree I'll submit a pull request accordingly for you to merge.
colymba commented
Thanks @UndefinedOffset, sounds good to me! One suggestion, should we change "email"
in the response to done
or something else generic?
UndefinedOffset commented
Ya I like that idea, I've switched it to done and will open a pull shortly
colymba commented
thanks @UndefinedOffset !