rodrigo/iachat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
4d362da9f0
iachat/app
History
João Pedro Baza Garcia Rodrigues 4d362da9f0
fix: Prevent user enumeration on password reset endpoint (#13528) 
## Description

The current password reset endpoint returns different HTTP status codes
and messages depending on whether the email exists in the system (200
for existing emails, 404 for non-existing ones). This allows attackers
to enumerate valid email addresses via the password reset form.

## Changes

### `app/controllers/devise_overrides/passwords_controller.rb`
- Removed the `if/else` branch that returned different responses based
on email existence
- Now always returns a generic `200 OK` response with the same message
regardless of whether the email exists
- Uses safe navigation operator (`&.`) to send reset instructions only
if the user exists

### `config/locales/en.yml`
- Consolidated `reset_password_success` and `reset_password_failure`
into a single generic `reset_password` key
- New message does not reveal whether the email exists in the system

## Security Impact
- **Before**: An attacker could determine if an email was registered by
observing the HTTP status code (200 vs 404) and response message
- **After**: All requests receive the same 200 response with a generic
message, preventing user enumeration

This follows [OWASP guidelines for authentication error
messages](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-responses).

Fixes #13527
2026-02-13 13:45:40 +05:30
..
actions fix: Disable enqueueing Avatar jobs if the URL is invalid (#12035) 2025-07-24 12:56:39 +04:00
assets feat: Hide installation identifier (#11722) 2025-06-17 15:45:40 -07:00
builders feat: Add standalone outgoing messages count API endpoint (#13419) 2026-02-04 19:36:50 +05:30
channels fix: Move contact events to account stream rather than individual user stream (#11082) 2025-03-13 17:46:48 -07:00
controllers fix: Prevent user enumeration on password reset endpoint (#13528) 2026-02-13 13:45:40 +05:30
dashboards feat: Auto confirm user email when super admin make changes (#12418) 2025-09-23 20:14:02 +05:30
dispatchers feat(ee): Add Captain features (#10665) 2025-01-14 16:15:47 -08:00
drops feat: Add the support for custom attributes in message variables (#8511) 2023-12-08 14:13:35 -08:00
fields chore: improve plan-based feature handling with plan hierarchy (#11335) 2025-04-28 14:13:56 -07:00
finders feat: add SKIP_INCOMING_BCC_PROCESSING as internal config (#12484) 2025-09-22 17:52:56 +05:30
helpers feat: new Captain Editor (#13235) 2026-01-21 13:39:07 +05:30
javascript fix: V2 Assignment service enhancements (#13036) 2026-02-11 12:24:45 +05:30
jobs fix: handle 404 errors gracefully in avatar download job (#13491) 2026-02-09 13:27:23 +05:30
listeners fix: prevent deserialization error on deletion (#13264) 2026-01-14 18:00:12 +05:30
mailboxes refactor: strategy pattern for mailbox conversation finding (#12766) 2025-11-10 20:47:18 +05:30
mailers feat: add per-account daily rate limit for outbound emails (#13411) 2026-02-03 02:06:51 +05:30
models fix: disable email transcript for free plans (#13509) 2026-02-11 21:21:36 +05:30
policies feat: new Captain Editor (#13235) 2026-01-21 13:39:07 +05:30
presenters fix(mailbox): handle malformed sender address headers (#13486) 2026-02-11 11:02:38 -08:00
services fix: Captain not responding to campaign conversations (#13489) 2026-02-12 10:07:56 +05:30
views feat: Add infinite scroll to contacts search page (#13376) 2026-01-27 18:55:19 -08:00