Username leakage from password reset mechanism

[edwardsph]

In Reset Password /account/password/reset, if you enter a valid username you get

An invalid username results in

This can be used to confirm whether or not a username exists. It would be better if both cases resulted in the same message. That could be the original message or perhaps "A Reset Password link has been sent to the email associated with this username"

This is a simple fix but as it is a security issue, please could you do an immediate release.

See also: #1758

[bourgeoa]

It seems strange to have a red error message saying that there was success.

What do you think of sending : Failed to send a Reset Password email ?
Which is more generic.

[edwardsph]

The best practice recommendation is that the response is the same either way as in https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

[zg009]

Hello Alain,

If the change needs to be made I already found the code which would be edited to fix.

node-solid-server/lib/requests/password-reset-email-request.js

Lines 92 to 98 in d8290cb

	static handlePost (request) {
	return Promise.resolve()
	.then(() => request.validate())
	.then(() => request.loadUser())
	.then(userAccount => request.sendResetLink(userAccount))
	.then(() => request.renderSuccess())
	.catch(error => request.error(error))

Simply applying renderSuccess() on the final then and catch would suffice, though it may warrant renaming the method.

Edit: Another option is rendering the same view for success and failure but having a debug message which indicates success or failure to individuals developing their own server.

[bourgeoa]

I would do it by replacing that line

node-solid-server/lib/requests/password-reset-email-request.js

Line 126 in d8290cb

throw new Error('Account not found for that username')

this will maintain all the logic, and I will add a comment line, why there is no throw Error

Please do a PR