Change user workflows to prevent user enumeration attacks

CHANGELOG.md

@@ -14,6 +14,10 @@ Decidim.configure do |config|
 end
 ```
 
+#### User workflows change to prevent user enumeration attacks 
+
+Until now it was possible to see if an email account was registered in Decidim, by using features like "Forgot your password", as the response changed if the email existed ("`You will receive an email with instructions on how to reset your password in a few minutes`") that's different to a non-existing user account ("`could not be found. Did you sign up previously?`"). This allows User Enumration attacks, where a malicious actor can check if anyone has an acount in the platform. As per [\#8537](https://github.com/decidim/decidim/pull/8537), anyone has the same answer always "`If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes`". 
+
 ### Added
 * [#8012](https://github.com/decidim/decidim/pull/8012) Participatory space to comments, to fix the statistics. Use
 `rake decidim_comments:update_participatory_process_in_comments` to migrate existing comments to the new structure.

decidim-core/config/initializers/devise.rb

@@ -88,7 +88,7 @@ def respond
   # It will change confirmation, password recovery and other workflows
   # to behave the same regardless if the e-mail provided was right or wrong.
   # Does not affect registerable.
-  # config.paranoid = true
+  config.paranoid = true
 
   # By default Devise will store the user in session. You can skip storage for
   # particular strategies by setting this option.

decidim-core/spec/system/authentication_spec.rb

@@ -330,9 +330,20 @@
           perform_enqueued_jobs { find("*[type=submit]").click }
         end
 
-        expect(page).to have_content("reset your password")
+        expect(page).to have_content("If your email address exists in our database")
         expect(emails.count).to eq(1)
       end
+
+      it "says it sends a password recovery email when is a non-existing email" do
+        visit decidim.new_user_password_path
+
+        within ".new_user" do
+          fill_in :password_user_email, with: "nonexistent@example.org"
+          find("*[type=submit]").click
+        end
+
+        expect(page).to have_content("If your email address exists in our database")
+      end
     end
 
     describe "Reset password" do
@@ -389,14 +400,14 @@
             end
           end
 
-          it "shows the last attempt warning before locking the account" do
+          it "doesn't show the last attempt warning before locking the account" do
             within ".new_user" do
               fill_in :session_user_email, with: user.email
               fill_in :session_user_password, with: "not-the-pasword"
               find("*[type=submit]").click
             end
 
-            expect(page).to have_content("You have one more attempt before your account is locked.")
+            expect(page).to have_content("Invalid")
           end
         end
 
@@ -421,7 +432,7 @@
               perform_enqueued_jobs { find("*[type=submit]").click }
             end
 
-            expect(page).to have_content("Your account is locked.")
+            expect(page).to have_content("Invalid")
             expect(emails.count).to eq(1)
           end
         end
@@ -440,9 +451,18 @@
             perform_enqueued_jobs { find("*[type=submit]").click }
           end
 
-          expect(page).to have_content("You will receive an email with instructions for how to unlock your account in a few minutes.")
+          expect(page).to have_content("If your account exists")
           expect(emails.count).to eq(1)
         end
+
+        it "says it resends the unlock instructions when is a non-existing user account" do
+          within ".new_user" do
+            fill_in :unlock_user_email, with: user.email
+            find("*[type=submit]").click
+          end
+
+          expect(page).to have_content("If your account exists")
+        end
       end
 
       describe "Unlock account" do