Generator-jhipster: Password reset allows to check which mails exist

Created on 21 Dec 2019  路  1Comment  路  Source: jhipster/generator-jhipster
Overview of the issue

When doing a password reset a bad request is returned in case the mail does not exist in the system. With this it is possible to harvest existing mails. I think it would be better to always return "OK" to the api/frontend and log the invalid attempt on the server side.

Motivation for or Use Case

Automatically check which mails exist.

Reproduce the error

Create a default jhipster app and request a password reset for e.g. [email protected]. Both the rest api and the frontend show that that mail does not exist.

Related issues

None I am aware of.

Suggest a Fix

Always return "ok" such that the client/consumer needs to check the mail and there is no hint that mail didn't exist (or other way round there is no hint which mail was real).

JHipster Version(s)

Tried with latest master.

area front java security
Source
picture atomfrede
👍2

Most helpful comment

I checked keycloak and it also does pretend the password reset request was successful, so I will do a PR for all our frontends and adapt the server part if everyone is okay with that.

picture atomfrede on 22 Dec 2019
👍4

>All comments

I checked keycloak and it also does pretend the password reset request was successful, so I will do a PR for all our frontends and adapt the server part if everyone is okay with that.

atomfrede picture atomfrede on 22 Dec 2019
👍4
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shivroy121 picture shivroy121  路  3Comments
edvjacek picture edvjacek  路  3Comments
ahmedeldeeb25 picture ahmedeldeeb25  路  3Comments
dronavallisaikrishna picture dronavallisaikrishna  路  3Comments
DanielFran picture DanielFran  路  3Comments