fix: email enumeration via forgot password page (#4299)

Co-authored-by: Matthias Nannt <mail@matthiasnannt.com>
2026-01-20 03:00:57 -06:00 · 2024-11-13 17:35:44 +05:30
parent 1f1563401d
commit 8c1f8bfb42
4 changed files with 6 additions and 7 deletions
--- a/apps/web/app/api/v1/users/forgot-password/route.ts
+++ b/apps/web/app/api/v1/users/forgot-password/route.ts
@@ -11,11 +11,10 @@ export const POST = async (request: Request) => {
      },
    });

-    if (!foundUser) {
-      return Response.json({ error: "No user with this email found" }, { status: 409 });
+    if (foundUser) {
+      await sendForgotPasswordEmail(foundUser, foundUser.locale);
    }

-    await sendForgotPasswordEmail(foundUser, foundUser.locale);
    return Response.json({});
  } catch (e) {
    return Response.json(
--- a/packages/lib/messages/de-DE.json
+++ b/packages/lib/messages/de-DE.json
@@ -10,7 +10,7 @@
      "back_to_login": "Zurück zum Login",
      "email-sent": {
        "heading": "Passwort erfolgreich angefordert",
-        "text": "Du hast einen Link angefordert, um dein Passwort zu ändern. Klicke auf den Link, um dein Passwort zurückzusetzen klickst:"
+        "text": "Wenn ein Konto mit dieser E-Mail-Adresse existiert, erhälst du in Kürze Anweisungen zum Zurücksetzen deines Passworts."
      },
      "reset": {
        "confirm_password": "Passwort bestätigen",
--- a/packages/lib/messages/en-US.json
+++ b/packages/lib/messages/en-US.json
@@ -10,7 +10,7 @@
      "back_to_login": "Back to login",
      "email-sent": {
        "heading": "Password reset successfully requested",
-        "text": "You have requested a link to change your password. You can do this by clicking the link below:"
+        "text": "If an account with this email exists, you will receive password reset instructions shortly."
      },
      "reset": {
        "confirm_password": "Confirm password",
--- a/packages/lib/messages/pt-BR.json
+++ b/packages/lib/messages/pt-BR.json
@@ -9,8 +9,8 @@
      "an_error_occurred_when_logging": "Ocorreu um erro ao fazer login",
      "back_to_login": "Voltar para o login",
      "email-sent": {
-        "heading": "Solicitação de redefinição de senha feita com sucesso",
-        "text": "Você pediu um link pra trocar sua senha. Você pode fazer isso clicando no link abaixo:"
+        "heading": "Pedido de redefinição de senha feito com sucesso",
+        "text": "Se existir uma conta com esse e-mail, você vai receber em breve as instruções pra redefinir sua senha."
      },
      "reset": {
        "confirm_password": "Confirmar senha",