4d362da9f0
## Description The current password reset endpoint returns different HTTP status codes and messages depending on whether the email exists in the system (200 for existing emails, 404 for non-existing ones). This allows attackers to enumerate valid email addresses via the password reset form. ## Changes ### `app/controllers/devise_overrides/passwords_controller.rb` - Removed the `if/else` branch that returned different responses based on email existence - Now always returns a generic `200 OK` response with the same message regardless of whether the email exists - Uses safe navigation operator (`&.`) to send reset instructions only if the user exists ### `config/locales/en.yml` - Consolidated `reset_password_success` and `reset_password_failure` into a single generic `reset_password` key - New message does not reveal whether the email exists in the system ## Security Impact - **Before**: An attacker could determine if an email was registered by observing the HTTP status code (200 vs 404) and response message - **After**: All requests receive the same 200 response with a generic message, preventing user enumeration This follows [OWASP guidelines for authentication error messages](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-responses). Fixes #13527 |
||
|---|---|---|
| .. | ||
| confirmations_controller.rb | ||
| omniauth_callbacks_controller.rb | ||
| passwords_controller.rb | ||
| sessions_controller.rb | ||
| token_validations_controller.rb | ||