[aerogear-dev] Password reset

[Bruno Oliveira]

Not sure if I’m following but we have 2 scenarios:

1. An attacker ask to reset: john at doe.com which exists into the database. Into this case my solo idea is:

HTTP Response: “An e-mail with the reset instructions was sent”

That example returns the URL, because I’m not taking into consideration e-mail validation and etc

2. An attacker ask to reset: meggie at doe.com which doesn’t exist into the database. Into this scenario, same thing:

HTTP Response: “An e-mail with the reset instructions was sent”

It might sound silly at first glance, but the idea is to not give any clue if some data exists or not into the database. Is that your idea?

That example returns the URL, because I’m not taking into consideration e-mail validation and etc.

On December 5, 2013 at 10:42:34 AM, Apostolos Emmanouilidis (aemmanou at redhat.com) wrote:
> Just wanted to add that the /rest/forgot endpoint response must return the same answer regardless of whether the given e-mail is successfully validated against the database or not. The client should not be able to find out if an e-mail address exists in our DB.  
-- 
abstractj