Skip to content

fix: use generic account recovery response#73

Merged
enlorik merged 2 commits into
mainfrom
fix-account-recovery-message
Jul 2, 2026
Merged

fix: use generic account recovery response#73
enlorik merged 2 commits into
mainfrom
fix-account-recovery-message

Conversation

@enlorik

@enlorik enlorik commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

  • Return the same account-recovery success message whether or not a matching account exists.
  • Keep internal logs truthful for non-matching requests, sent emails, and email delivery failures.
  • Add controller tests for missing account, matching account, and email delivery failure paths.

Why

This prevents the form from revealing whether a username/email pair exists while preserving useful server-side observability.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2f8503e7e6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

trimmedUsername,
LoggingUtil.maskEmail(trimmedEmail));
model.addAttribute("success", RESET_REQUEST_MESSAGE);
return "forgot-password";

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Make reset request paths indistinguishable

When POST /forgot-password gets a username/email pair that does not match an account, this branch returns immediately, while the matching-account branch calls passwordResetService.createTokenAndSendResetEmail, which creates a token and synchronously sends/retries an external email before returning. In the account-recovery flow this patch is trying to protect, a client can still distinguish valid pairs by measuring response time even though the displayed message is generic; make the missing-account path indistinguishable from the real path, e.g. by queueing email work asynchronously or doing equivalent dummy work before responding.

Useful? React with 👍 / 👎.

@enlorik enlorik merged commit 744abfa into main Jul 2, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant