You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Expected: Regardless of the presence or absence of the proffered email in the DB, the post handler says, "Okidokey, we sent a recovery email to that address".
Actual: The page gives an error if an email address doesn't exist, which means a third party can use it to figure out if an email address is in the system, without owning that address.
The downside of the expected behavior is that typos won't be caught, but I'm okay with that.
The text was updated successfully, but these errors were encountered:
As mentioned, there's a downside to making this change, so it should not be made as the only option. PR welcome though for a PR that adds the option for this behavior.
Expected: Regardless of the presence or absence of the proffered email in the DB, the post handler says, "Okidokey, we sent a recovery email to that address".
Actual: The page gives an error if an email address doesn't exist, which means a third party can use it to figure out if an email address is in the system, without owning that address.
The downside of the expected behavior is that typos won't be caught, but I'm okay with that.
The text was updated successfully, but these errors were encountered: