Skip to content

Commit

Permalink
fix: prevent user email side-channel leak on verify (supabase#1472)
Browse files Browse the repository at this point in the history
There is a side-channel leak whether an email exists in the system when
using the `verify` endpoint. It returns `User not found` (when it
doesn't) vs `Token has expired or is invalid` (when it exists).
  • Loading branch information
hf authored Mar 6, 2024
1 parent 548edf8 commit 311cde8
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion internal/api/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -625,7 +625,7 @@ func (a *API) verifyUserAndToken(conn *storage.Connection, params *VerifyParams,

if err != nil {
if models.IsNotFoundError(err) {
return nil, notFoundError(err.Error()).WithInternalError(err)
return nil, expiredTokenError("Token has expired or is invalid").WithInternalError(err)
}
return nil, internalServerError("Database error finding user").WithInternalError(err)
}
Expand Down

0 comments on commit 311cde8

Please sign in to comment.