fixed information on resend password and recovery, related #856 #942
Conversation
|
The possibility of "verifying" the existence of an email is not a very safe option. I'm not sure this should be done. The author of #856 has already reached the same conclusion. |
|
But always showing a success message is also not a appropriate solution. Any better ideas? |
|
Hi, shouldn't be the recovery form be validated on the existance of the user mail before sending? |
|
I agree that having an unconditional success message is a problem. Consider the following situation: a malicious person has a list of users leaked from a site and can test the existence of users with the same email and use the same password to access all accounts found. I have no doubt that it is a major security breach. |
But you do not need the password resend form for that, just use the login.
I don't like them, but what's about an (optional) captcha? |
|
How about change only message? add "if possible"/"if email correct" |
But ... he can also try to login directly, what would be the difference here?
It would be technically more correct, but makes no difference on the usability side. |
I myself ran into the problem of misunderstanding when I tried to recover the password of a non-existent record (after the rollback of migrations) I try it again and again. I can see "message send" and don't see email))) I check my smtp settings and go find error in code) And I forgot about it and repeat this after year))) |
|
The solution could be here, but ...... |
|
Does anyone know how usuario handles this? CC: @thyseus @tonydspaniard |
|
@schmunk42 https://github.com/2amigos/yii2-usuario/blob/master/src/User/Service/PasswordRecoveryService.php#L43 In yii-usuario If we don't find the email, we throw an error. Also, we send a token that requires verification in order to modify it. Only the owner of the email is allowed to modify the password: https://github.com/2amigos/yii2-usuario/blob/master/src/User/Controller/RecoveryController.php#L136 |
|
@tonydspaniard Thanks for your feedback. Are there measurements in usuario to prevent brute-force attacks or disclosing too much information, such if a user exists, like captchas, etc...? |
Yes sir, we use Google Recaptcha and also included Google 2Auth Authenticator. |
|
Any updates on this? I stumbled upon it in a project which requires this change. |
|
It would not be good to implement this change without there being a control to avoid brute force. |
|
@thiagotalma Please make a proposal how that should look like.
A property to turn on/off messages completely? |
|
How about my opinion? complex single message like "A message has been sent to your email address. It contains a confirmation link that you must click to complete registration. Of course, if you sure about registration on this email" |
|
How about adding an option |
I will forget to enable this feature ;) |
|
So... I can see this in Nvidia resend form something like |
|
Yeah, I also saw different versions.
Recently I had to mail GitLab support to ask which e-mail is registered :)
An option would be cool though
Von meinem iPhone gesendet
… Am 31.05.2018 um 14:47 schrieb bscheshirwork ***@***.***>:
So... I can see this in Nvidia resend form
something like
... "Email will be send (if associated with nvidia user) "...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Currently you can enter any e-mail address into recovery or resend password and you'll also get a success message even if the mail does not exists (eg. you've made a typo).
This PR adds a warning flash in these cases and outputs only success flashes when appropriate.