mirror/formbricks
1
0
Fork 0
mirror of https://github.com/formbricks/formbricks.git synced 2026-04-20 02:30:18 -05:00
Code Issues Packages Projects Releases 164 Wiki Activity

fix: reset password email enumeration

Browse Source
This commit is contained in:
Piyush Gupta
2025-06-30 18:30:07 +05:30
parent 3f98283d4d
commit 49560ccba8
5 changed files with 32 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
apps/web/app/(app)/environments/[environmentId]/settings/(account)/profile/components/EditProfileDetailsForm.tsx
View File

@@ -19,7 +19,6 @@ import { Label } from "@/modules/ui/components/label";
import { zodResolver } from "@hookform/resolvers/zod";
import { useTranslate } from "@tolgee/react";
import { ChevronDownIcon } from "lucide-react";
import { signOut } from "next-auth/react";
import { useState } from "react";
import { FormProvider, SubmitHandler, useForm } from "react-hook-form";
import toast from "react-hot-toast";
@@ -135,15 +134,15 @@ export const EditProfileDetailsForm = ({
setIsResettingPassword(true);
const resetPasswordResponse = await forgotPasswordAction({ email: user.email });
await forgotPasswordAction({ email: user.email });
if (!resetPasswordResponse?.data) {
const errorMessage = getFormattedErrorMessage(resetPasswordResponse);
toast.error(errorMessage);
} else {
toast.success(t("auth.forgot-password.email-sent.heading"));
await signOut({ callbackUrl: "/auth/login" });
}
toast.success(t("auth.forgot-password.email-sent.heading"));
await signOutWithAudit({
reason: "password_reset",
redirectUrl: "/auth/login",
redirect: true,
callbackUrl: "/auth/login",
});
setIsResettingPassword(false);
};

8
apps/web/modules/auth/actions/sign-out.ts
View File

@@ -13,7 +13,13 @@ export const logSignOutAction = async (
userId: string,
userEmail: string,
context: {
reason?: "user_initiated" | "account_deletion" | "email_change" | "session_timeout" | "forced_logout";
reason?:
| "user_initiated"
| "account_deletion"
| "email_change"
| "session_timeout"
| "forced_logout"
| "password_reset";
redirectUrl?: string;
organizationId?: string;
}

12
apps/web/modules/auth/forgot-password/actions.ts
View File

@@ -5,7 +5,7 @@ import { actionClient } from "@/lib/utils/action-client";
import { getUserByEmail } from "@/modules/auth/lib/user";
import { sendForgotPasswordEmail } from "@/modules/email";
import { z } from "zod";
import { OperationNotAllowedError, ResourceNotFoundError } from "@formbricks/types/errors";
import { OperationNotAllowedError } from "@formbricks/types/errors";
import { ZUserEmail } from "@formbricks/types/user";
const ZForgotPasswordAction = z.object({
@@ -21,15 +21,9 @@ export const forgotPasswordAction = actionClient
const user = await getUserByEmail(parsedInput.email);
if (!user) {
throw new ResourceNotFoundError("user", parsedInput.email);
}
if (user.identityProvider !== "email") {
throw new OperationNotAllowedError("Password reset is not allowed for SSO users");
if (!user || user.identityProvider !== "email") {
return;
}
await sendForgotPasswordEmail(user);
return { success: true };
});

8
apps/web/modules/auth/hooks/use-sign-out.ts
View File

@@ -3,7 +3,13 @@ import { signOut } from "next-auth/react";
import { logger } from "@formbricks/logger";
interface UseSignOutOptions {
reason?: "user_initiated" | "account_deletion" | "email_change" | "session_timeout" | "forced_logout";
reason?:
| "user_initiated"
| "account_deletion"
| "email_change"
| "session_timeout"
| "forced_logout"
| "password_reset";
redirectUrl?: string;
organizationId?: string;
redirect?: boolean;

8
apps/web/modules/auth/lib/utils.ts
View File

@@ -283,7 +283,13 @@ export const logSignOut = (
userId: string,
userEmail: string,
context?: {
reason?: "user_initiated" | "account_deletion" | "email_change" | "session_timeout" | "forced_logout";
reason?:
| "user_initiated"
| "account_deletion"
| "email_change"
| "session_timeout"
| "forced_logout"
| "password_reset";
redirectUrl?: string;
organizationId?: string;
}