Password reset json endpoint reveals whether an email or username is in use

Created on 1 February 2022, almost 3 years ago
Updated 26 July 2023, over 1 year ago

Problem/Motivation

The issue: #1521996: Password reset form reveals whether an email or username is in use β†’ fixed the enumeration of email addresses and usernames via the password reset form. This issue is a follow-up to apply the same fix to the password reset json endpoint in \Drupal\user\Controller\UserAuthenticationController::resetPassword.

Steps to reproduce

Run

curl -X POST 'https://mydrupalsite.dev/user/password?_format=json' \
-d '{"mail": "myemail@example.com"}'

if myemail@example.com does not correspond to an account then the following payload will be returned:

{"message":"Unrecognized username or email address."}

if myemail@example.com does correspond to an account but the account is blocked or not activated, then the following payload is returned:

{"message":"The user has not been activated or is blocked."}

if myemail@example.com does correspond to an active not-blocked account then an empty code 200 response is returned.

Proposed resolution

Make the "Unrecognized username or email address." scenario return an empty code 200 response, as in return new Response();, but log the error in watchdog.
Discuss whether to prevent enumeration of non-active/blocked accounts in another issue.

Remaining tasks

Review the attached patch.

User interface changes

Same empty response regardless of whether the user exists with an active account or does not exist at all.

This decreases usability for users since they might be resetting their password with the wrong email address and then wonder why they never get an email. Right now you immediately know that you typed in a wrong email address. However, decreased usability vs. better privacy is probably a tradeoff we accept.

API changes

Headless clients will need to be adjusted for the new response.

Data model changes

None.

Release notes snippet

πŸ› Bug report
Status

Fixed

Version

10.1 ✨

Component
User moduleΒ  β†’

Last updated about 4 hours ago

Created by

πŸ‡¨πŸ‡¦Canada shaundychko

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the β€œReport a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Novice

    It would make a good project for someone who is new to the Drupal contribution process. It's preferred over Newbie.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024