Parse-server: Send Password Reset Request to Non-Existent Users

Created on 12 Aug 2019 · 2Comments · Source: parse-community/parse-server

Is your feature request related to a problem? Please describe.
Currently, when a non-existent user requests a password reset, a message is always displayed saying that an email has been sent to the email address. The user actually never receives an email. There is a workaround where we can verify if the requested email exists then return an error, but that's not the way OWASP recommends it (user information leak)

Describe the solution you'd like
The solution is simple, instead of displaying an error message, what about always sending an email to the email address provided? The content of that email changes based on whether a user exists with that email address.
With this approach, it means we need two different emails, one for each scenario. The first would be the primary reset email with a URL and the normal instructions. The other email would be an explanation that the user account wasn’t found and suggest alternative approaches or ways to contact support for help.

If the user exists, we send the normal password reset email. If the user doesn’t exist, we send a different email explaining that user account was not found and suggesting that they try a different email address. This approach makes it impossible for anyone other than the email address owner to enumerate a list of user accounts.

stale

Source

nextglabs

Most helpful comment

I think it's impossible, this feature can introduce a huge security breach, it allow attackers to use the Parse Server instance as an email spammer.
It can also generate unpredictable costs for developers using email services such as Sendgrid or MailChimp.
If you need a feature like this (not recommended at all), i suggest you to create a custom cloud function with your logic.