Reset password request response when account does not exist

[Matas Zanevičius]

Hi, I'm enjoying working with rodauth very much, Thank you for a super great gem. 

Currently I am trying to figure out how to have POST to reset_password_request return a  200 status, with a success message, all the time - even when account is not found. 

I can see that I could set the no_matching_login_error_status to 200, but the response body would still contain the error message. I can also set the no_matching_login_message to an obscure string. But I would still get an error in the response body. Which is not great, because it indicates that - most likely - the login did not match any account.

I want it always to return 200 and a success message, because I want to protect my database against probing for user emails I've got.

Would you consider approving such configurable behaviour if I opened a PR? Or do you see a simpler solution?

[Jeremy Evans]

Rodauth explicitly does not try to prevent account enumeration.  It's basically a lost cause.  Even if you made this change to reset password, there would be other ways to enumerate accounts (e.g. try creating an account).  Even if you try to handle all of them, it's very likely account enumeration can be done using a timing attack.  My advice would be to accept that account enumeration is always possible and you should not take steps to prevent it.

If you are still intent on doing this, you could try:

reset_password_request_error_flash do

  set_field_error(login_param, nil)

  response.status = 200

  set_notice_flash reset_password_email_sent_notice_flash

  redirect reset_password_email_sent_redirect

end

I didn't test that, but it may work.

Thanks,

Jeremy

[Matas Zanevičius]

Hi Jeremy, thank you for your quick response. 

I understand your reasoning about the inevitability of chances of getting attacked. At the same time, I believe that the broader the attack surface the higher the likelihood of getting attacked sooner rather than later. And more often perhaps...
I appreciate your take on the issue and the suggested solution. I will try it out.

Thank you
Matas

--
You received this message because you are subscribed to a topic in the Google Groups "Rodauth" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rodauth/5TToghHFvG4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rodauth+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rodauth/CADGZSSeUtLeWY9B0_6T0qc3BfztXDoYVEoV0vaCjSgVuw7wv4g%40mail.gmail.com.