Skip to content

[5.x] Always show success when using forgot password form#14539

Merged
jasonvarga merged 4 commits into5.xfrom
fix-enumeration
Apr 23, 2026
Merged

[5.x] Always show success when using forgot password form#14539
jasonvarga merged 4 commits into5.xfrom
fix-enumeration

Conversation

@jasonvarga
Copy link
Copy Markdown
Member

@jasonvarga jasonvarga commented Apr 22, 2026
edited
Loading

Summary

  • Normalize Password::INVALID_USER and Password::RESET_THROTTLED responses from the broker to Password::RESET_LINK_SENT in SendsPasswordResetEmails::sendResetLinkEmail(), so the endpoint responds identically whether or not the email belongs to a registered (and un-throttled) user.
  • Throttling is normalized too because Laravel's PasswordBroker only reaches the throttle check after successfully retrieving a user — a throttled response would otherwise still indicate that a matching user exists.

Test plan

  • vendor/bin/phpunit tests/Tags/User/ForgotPasswordFormTest.php
  • vendor/bin/phpunit tests/Auth/CpForgotPasswordTest.php
  • vendor/bin/phpunit tests/Auth/ForgotPasswordTest.php
  • Manually POST a non-existent email to /cp/auth/password/email and to /!/auth/password/email and confirm the generic "reset link emailed" message is shown with no email error flashed.
  • Manually POST a real user's email and confirm the reset email is dispatched and the same generic message is shown.
  • Manually POST an invalid email format and confirm the existing validation error still renders.

🤖 Generated with Claude Code

jasonvarga and others added 4 commits April 22, 2026 15:08
@jasonvarga @claude
Prevent username enumeration on password reset
19d6085 
Normalize INVALID_USER and RESET_THROTTLED responses from the password
broker to RESET_LINK_SENT so the endpoint does not reveal whether the
submitted email belongs to a registered user.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jasonvarga @claude
Remove now-dead error response path
9d42569 
After password reset responses are normalized to always succeed, the
failure path in sendResetLinkFailedResponse is unreachable with the
default broker. Drop it along with the obsolete external-URL test that
relied on it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jasonvarga
wip
f9bf539
@jasonvarga
needed
7c69ab4
@jasonvarga jasonvarga changed the title [5.x] Return generic response on password reset for unknown or throttled users [5.x] Always show success when using forgot password form Apr 23, 2026
@jasonvarga jasonvarga merged commit bc302de into 5.x Apr 23, 2026
30 checks passed
@jasonvarga jasonvarga deleted the fix-enumeration branch April 23, 2026 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonvarga