Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent user name/email leakage via the sign in form #5

Closed
markkap opened this Issue Dec 26, 2017 · 2 comments

Comments

Projects
None yet
1 participant
@markkap
Copy link

markkap commented Dec 26, 2017

related to #4

Sign in form is disabled by default, but if it is enabled people can use it to discover which user names/emails are in use on the site from the rejection messages.

@markkap markkap added this to the 1.0.0 milestone Oct 23, 2018

@markkap

This comment has been minimized.

Copy link
Author

markkap commented Oct 26, 2018

The signup process is just very flawed on both the security and UX fronts.

From the UX POV, it is just ridiculous to expect from a user to select unique user name without giving him any indication what might be available. Knowing that "admin" is taken do not help much.

The correct flow should be to let the user register with his email only, than after the email is confirmed, generate an automatic one for him suggest to him to change it.

It is still possible to enumerate user names in that kind of flow, but it is much easier to limit the number of such attempts, and it makes the process somewhat harder to automate.

@markkap

This comment has been minimized.

Copy link
Author

markkap commented Dec 6, 2018

This is mostly solved as part of #187, what is left is to modify the error messages when someone tries to register a user with an already registered email.

The proper way to resolve that situation is probably to treat it like a password reset event.

markkap added a commit that referenced this issue Jan 6, 2019

When there is an attempt to register a new user in a network with an …
…email address for which there is already an associated user, send a password reset email, and display the same message as if the user registration was successful #5

markkap added a commit that referenced this issue Jan 6, 2019

@markkap markkap closed this Jan 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.