[aerogear-dev] Password reset
Apostolos Emmanouilidis
aemmanou at redhat.com
Thu Dec 5 07:56:42 EST 2013
+1 that's what I meant
On Thu, 2013-12-05 at 10:49 -0200, Bruno Oliveira wrote:
> Not sure if I’m following but we have 2 scenarios:
>
> 1. An attacker ask to reset: john at doe.com which exists into the database. Into this case my solo idea is:
>
> HTTP Response: “An e-mail with the reset instructions was sent”
>
> That example returns the URL, because I’m not taking into consideration e-mail validation and etc
>
> 2. An attacker ask to reset: meggie at doe.com which doesn’t exist into the database. Into this scenario, same thing:
>
> HTTP Response: “An e-mail with the reset instructions was sent”
>
> It might sound silly at first glance, but the idea is to not give any clue if some data exists or not into the database. Is that your idea?
>
> That example returns the URL, because I’m not taking into consideration e-mail validation and etc.
>
> On December 5, 2013 at 10:42:34 AM, Apostolos Emmanouilidis (aemmanou at redhat.com) wrote:
> > Just wanted to add that the /rest/forgot endpoint response must return the same answer regardless of whether the given e-mail is successfully validated against the database or not. The client should not be able to find out if an e-mail address exists in our DB.
> --
> abstractj
More information about the aerogear-dev
mailing list