+1 that's what I meant
On Thu, 2013-12-05 at 10:49 -0200, Bruno Oliveira wrote:
Not sure if I’m following but we have 2 scenarios:
1. An attacker ask to reset: john(a)doe.com which exists into the database. Into this case
my solo idea is:
HTTP Response: “An e-mail with the reset instructions was sent”
That example returns the URL, because I’m not taking into consideration e-mail validation
and etc
2. An attacker ask to reset: meggie(a)doe.com which doesn’t exist into the database. Into
this scenario, same thing:
HTTP Response: “An e-mail with the reset instructions was sent”
It might sound silly at first glance, but the idea is to not give any clue if some data
exists or not into the database. Is that your idea?
That example returns the URL, because I’m not taking into consideration e-mail validation
and etc.
On December 5, 2013 at 10:42:34 AM, Apostolos Emmanouilidis (aemmanou(a)redhat.com) wrote:
> Just wanted to add that the /rest/forgot endpoint response must return the same
answer regardless of whether the given e-mail is successfully validated against the
database or not. The client should not be able to find out if an e-mail address exists in
our DB.
--
abstractj