showing password-reset email status success even when I don't have CARE user account. #842
Assignees
Comments
|
@JAIMIN-CHOKHAWALA I think the current way is a good way from security perspective... This way, we can be ensure that no one can apply the bruteforce techniques to find existing users and send spams or apply other attacks, yes... but I agree that the message should be changed to "Password reset email will be sent shortly if account exists" |
|
Yep, we have to make sure that all user information is intact. |
|
closing this issue as it's being tracked in coronasafe/care_fe#2664 |
|
@sainak, Yeah sure it is better to close it but I also with @Marmik2003 about changing status message. |
|
@JAIMIN-CHOKHAWALA coronasafe/care_fe#2665 will update the status message |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Even when I don't have account on CARE system, it is showing me "password reset link sent successfully" when I do forgot password on login page and then random username as input.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Expected status should be "Invalid user" OR "User not available in database"
Screenshots
Desktop (please complete the following information):
Additional context
It looks like this is a frontend issue. I don't have any registered account on the CARE system, so it is not possible that my user is already available in the database. hence it is not possible to send me a password reset link and it did not. So, it looks like it received "success" status on the frontend and showed me "password reset email sent".
The text was updated successfully, but these errors were encountered: