# HG changeset patch # User Bernhard Reiter # Date 1535382625 -7200 # Node ID 8e82936b49f73c31a362ca4ccd468b0130fccec7 # Parent e5dab193207a5cbf8f39b952dbff665a2825757e# Parent 139214cecc8f40b47024b83ba6009240fe8ad25a merge diff -r e5dab193207a -r 8e82936b49f7 pkg/controllers/pwreset.go --- a/pkg/controllers/pwreset.go Mon Aug 27 16:46:19 2018 +0200 +++ b/pkg/controllers/pwreset.go Mon Aug 27 17:10:25 2018 +0200 @@ -188,6 +188,16 @@ ctx := req.Context() + // FIXME, we need to always answer with a neutral messages + // to avoid becoming an oracle about which user exists to third parties. + + // Error messages need to be logged instead of being send to the user. + // + // const neutralMessage = "If this account exists, a reset link will be mailed." + + // FIXME responding should be done it a goroutine of its own so its + // executing time is constant (to avoid becoming an oracle over the + // response time). if err = auth.RunAs( pwResetRole, ctx, func(conn *sql.Conn) error { @@ -202,7 +212,7 @@ if count >= maxPasswordResets { return JSONError{ Code: http.StatusServiceUnavailable, - Message: "Too much password reset request", + Message: "Too many requests for the server, please notify the administrator.", } } @@ -210,8 +220,10 @@ switch { case err == sql.ErrNoRows: + //FIXME change to logging return JSONError{http.StatusNotFound, "User does not exist."} case err != nil: + //FIXME change to logging return err } @@ -222,6 +234,7 @@ // Limit requests per user if count >= maxPasswordRequestsPerUser { + //FIXME change to logging return JSONError{ Code: http.StatusServiceUnavailable, Message: "Too much password reset requests for user", @@ -235,6 +248,7 @@ body := requestMessageBody(useHTTPS(req), user.User, hash, req.Host) if err = misc.SendMail(email, "Password Reset Link", body); err == nil { + //FIXME change to logging jr.Result = &struct { SendTo string `json:"send-to"` }{email}