-
Notifications
You must be signed in to change notification settings - Fork 633
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixed information on resend password and recovery, related #856 #942
base: master
Are you sure you want to change the base?
Conversation
The possibility of "verifying" the existence of an email is not a very safe option. I'm not sure this should be done. The author of #856 has already reached the same conclusion. |
But always showing a success message is also not a appropriate solution. Any better ideas? |
Hi, shouldn't be the recovery form be validated on the existance of the user mail before sending? |
I agree that having an unconditional success message is a problem. Consider the following situation: a malicious person has a list of users leaked from a site and can test the existence of users with the same email and use the same password to access all accounts found. I have no doubt that it is a major security breach. |
But you do not need the password resend form for that, just use the login.
I don't like them, but what's about an (optional) captcha? |
How about change only message? add "if possible"/"if email correct" |
But ... he can also try to login directly, what would be the difference here?
It would be technically more correct, but makes no difference on the usability side. |
I myself ran into the problem of misunderstanding when I tried to recover the password of a non-existent record (after the rollback of migrations) I try it again and again. I can see "message send" and don't see email))) I check my smtp settings and go find error in code) And I forgot about it and repeat this after year))) |
The solution could be here, but ...... |
Does anyone know how usuario handles this? CC: @thyseus @tonydspaniard |
@schmunk42 https://github.com/2amigos/yii2-usuario/blob/master/src/User/Service/PasswordRecoveryService.php#L43 In yii-usuario If we don't find the email, we throw an error. Also, we send a token that requires verification in order to modify it. Only the owner of the email is allowed to modify the password: https://github.com/2amigos/yii2-usuario/blob/master/src/User/Controller/RecoveryController.php#L136 |
@tonydspaniard Thanks for your feedback. Are there measurements in usuario to prevent brute-force attacks or disclosing too much information, such if a user exists, like captchas, etc...? |
Yes sir, we use Google Recaptcha and also included Google 2Auth Authenticator. |
Any updates on this? I stumbled upon it in a project which requires this change. |
It would not be good to implement this change without there being a control to avoid brute force. |
@thiagotalma Please make a proposal how that should look like.
A property to turn on/off messages completely? |
How about my opinion? complex single message like "A message has been sent to your email address. It contains a confirmation link that you must click to complete registration. Of course, if you sure about registration on this email" |
How about adding an option |
I will forget to enable this feature ;) |
So... I can see this in Nvidia resend form something like |
Yeah, I also saw different versions.
Recently I had to mail GitLab support to ask which e-mail is registered :)
An option would be cool though
Von meinem iPhone gesendet
… Am 31.05.2018 um 14:47 schrieb bscheshirwork ***@***.***>:
So... I can see this in Nvidia resend form
something like
... "Email will be send (if associated with nvidia user) "...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Currently you can enter any e-mail address into recovery or resend password and you'll also get a success message even if the mail does not exists (eg. you've made a typo).
This PR adds a warning flash in these cases and outputs only success flashes when appropriate.