--- a/pkg/controllers/pwreset.go	Mon Aug 27 16:46:19 2018 +0200
+++ b/pkg/controllers/pwreset.go	Mon Aug 27 17:10:25 2018 +0200
@@ -188,6 +188,16 @@
 
 	ctx := req.Context()
 
+	// FIXME, we need to always answer with a neutral messages
+	// to avoid becoming an oracle about which user exists to third parties.
+
+	// Error messages need to be logged instead of being send to the user.
+	//
+	// const neutralMessage = "If this account exists, a reset link will be mailed."
+
+	// FIXME responding should be done it a goroutine of its own so its
+	// executing time is constant (to avoid becoming an oracle over the
+	// response time).
 	if err = auth.RunAs(
 		pwResetRole, ctx,
 		func(conn *sql.Conn) error {
@@ -202,7 +212,7 @@
 			if count >= maxPasswordResets {
 				return JSONError{
 					Code:    http.StatusServiceUnavailable,
-					Message: "Too much password reset request",
+					Message: "Too many requests for the server, please notify the administrator.",
 				}
 			}
 
@@ -210,8 +220,10 @@
 
 			switch {
 			case err == sql.ErrNoRows:
+				//FIXME change to logging
 				return JSONError{http.StatusNotFound, "User does not exist."}
 			case err != nil:
+				//FIXME change to logging
 				return err
 			}
 
@@ -222,6 +234,7 @@
 
 			// Limit requests per user
 			if count >= maxPasswordRequestsPerUser {
+				//FIXME change to logging
 				return JSONError{
 					Code:    http.StatusServiceUnavailable,
 					Message: "Too much password reset requests for user",
@@ -235,6 +248,7 @@
 		body := requestMessageBody(useHTTPS(req), user.User, hash, req.Host)
 
 		if err = misc.SendMail(email, "Password Reset Link", body); err == nil {
+			//FIXME change to logging
 			jr.Result = &struct {
 				SendTo string `json:"send-to"`
 			}{email}