Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yesod.Auth.Email.postForgotPasswordR lets a third party know if an email addr is registered #1230

Open
chreekat opened this issue May 10, 2016 · 1 comment
Open

Yesod.Auth.Email.postForgotPasswordR lets a third party know if an email addr is registered #1230

chreekat opened this issue May 10, 2016 · 1 comment

Comments

@chreekat
Copy link
Contributor

Expected: Regardless of the presence or absence of the proffered email in the DB, the post handler says, "Okidokey, we sent a recovery email to that address".

Actual: The page gives an error if an email address doesn't exist, which means a third party can use it to figure out if an email address is in the system, without owning that address.

image

The downside of the expected behavior is that typos won't be caught, but I'm okay with that.
@snoyberg
Copy link
Member

As mentioned, there's a downside to making this change, so it should not be made as the only option. PR welcome though for a PR that adds the option for this behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@snoyberg @chreekat