Deliver password reset email asynchronously

Fixes a potential timing attack where someone could find out whether an email address is in our database or not.
plausible · Jan 20, 2022 · 3e46f1b · 3e46f1b
1 parent 2037605
commit 3e46f1b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/plausible_web/controllers/auth_controller.ex b/lib/plausible_web/controllers/auth_controller.ex
@@ -252,7 +252,7 @@ defmodule PlausibleWeb.AuthController do
         url = PlausibleWeb.Endpoint.url() <> "/password/reset?token=#{token}"
         Logger.debug("PASSWORD RESET LINK: " <> url)
         email_template = PlausibleWeb.Email.password_reset_email(email, url)
-        Plausible.Mailer.deliver_now!(email_template)
+        Plausible.Mailer.deliver_later(email_template)
 
         render(conn, "password_reset_request_success.html",
           email: email,