fix: email enumeration via forgot password page (#4299)

Co-authored-by: Matthias Nannt <mail@matthiasnannt.com>
2026-01-06 05:40:02 -06:00 · 2024-11-13 17:35:44 +05:30
parent 1f1563401d
commit 8c1f8bfb42
4 changed files with 6 additions and 7 deletions
--- a/apps/web/app/api/v1/users/forgot-password/route.ts
+++ b/apps/web/app/api/v1/users/forgot-password/route.ts
@@ -11,11 +11,10 @@ export const POST = async (request: Request) => {
      },
    });

-    if (!foundUser) {
-      return Response.json({ error: "No user with this email found" }, { status: 409 });
+    if (foundUser) {
+      await sendForgotPasswordEmail(foundUser, foundUser.locale);
    }

-    await sendForgotPasswordEmail(foundUser, foundUser.locale);
    return Response.json({});
  } catch (e) {
    return Response.json(