Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More secure feedback message on password reset #2395

Merged
merged 5 commits into from
Apr 16, 2024
Merged

More secure feedback message on password reset #2395

merged 5 commits into from
Apr 16, 2024

Conversation

ivan-kocienski-gfsc
Copy link
Contributor

@ivan-kocienski-gfsc ivan-kocienski-gfsc commented Apr 15, 2024
edited
Loading

Closes #2225

If a password reset account is found (or not) show the same feedback message. This way no private information is being leaked in public.

The reset now looks like this regardless of whether or not the email exists:
Screenshot_2024-04-15_14-13-09

I also checked the log in page and confirmed that does not have the same problem (the message is always the same for either email or password)

@ivan-kocienski-gfsc
More secure feedback message on password reset
4c7b68d 
If a password reset account is found (or not) show the same feedback
message. This way no private information is being leaked in public.
@ivan-kocienski-gfsc ivan-kocienski-gfsc requested a review from a team April 15, 2024 12:55
@aaaaargZombies aaaaargZombies self-assigned this Apr 15, 2024
@aaaaargZombies
Copy link
Contributor

aaaaargZombies commented Apr 15, 2024
edited
Loading

image

This doesn't match the AC but I think the PR does solve the original probelm

@ivan-kocienski-gfsc
Copy link
Contributor Author

I fixed the A/C so this is okay (and it is okay)

The important thing is that we verify we aren't potentially leaking any information here

aaaaargZombies
aaaaargZombies approved these changes Apr 16, 2024
View reviewed changes
Copy link
Contributor

@aaaaargZombies aaaaargZombies left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - agreed the leaking the email was more important than the specific wording and I like the current one, to the point.

@ivan-kocienski-gfsc ivan-kocienski-gfsc merged commit 0ed3491 into main Apr 16, 2024
2 checks passed
@ivan-kocienski-gfsc ivan-kocienski-gfsc deleted the ik-2225-stop-leaking-emails branch April 16, 2024 09:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aaaaargZombies aaaaargZombies aaaaargZombies approved these changes

Assignees

@aaaaargZombies aaaaargZombies

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Should not be indicating which emails have accounts
2 participants
@ivan-kocienski-gfsc @aaaaargZombies