From 311cde8d1e82f823ae26a341e068034d60273864 Mon Sep 17 00:00:00 2001
From: Stojan Dimitrovski <sdimitrovski@gmail.com>
Date: Wed, 6 Mar 2024 10:50:34 +0100
Subject: [PATCH] fix: prevent user email side-channel leak on verify (#1472)

There is a side-channel leak whether an email exists in the system when
using the `verify` endpoint. It returns `User not found` (when it
doesn't) vs `Token has expired or is invalid` (when it exists).
---
 internal/api/verify.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/api/verify.go b/internal/api/verify.go
index 6dd29be05..deb52113d 100644
--- a/internal/api/verify.go
+++ b/internal/api/verify.go
@@ -625,7 +625,7 @@ func (a *API) verifyUserAndToken(conn *storage.Connection, params *VerifyParams,
 
 	if err != nil {
 		if models.IsNotFoundError(err) {
-			return nil, notFoundError(err.Error()).WithInternalError(err)
+			return nil, expiredTokenError("Token has expired or is invalid").WithInternalError(err)
 		}
 		return nil, internalServerError("Database error finding user").WithInternalError(err)
 	}