-
-
Notifications
You must be signed in to change notification settings - Fork 658
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix: prevent password reset email flooding #2076
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Coverage report❌ An unexpected error occurred. For more details, check console
Test suite run failedFailed tests: 1/1172. Failed suites: 1/194.
Report generated by 🧪jest coverage report action from d31b8fd |
@@ -400,11 +402,19 @@ class UserService { | |||
if (!receiver) { | |||
throw new NotFoundError(`Could not find ${receiverEmail}`); | |||
} | |||
if (this.passwordResetTimeouts[receiver.id]) { | |||
return; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works as a bugfix for now. More suggested improvements in: https://linear.app/unleash/issue/1-245/improve-forgotten-password-api
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
About the changes
Related to security, limit "forget password" requests. Linear 1-242
Discussion points
Do we want to inform users on the frontend about that? I think we kept the info if mail has been sent very vague before.