Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional verification for reset password #38

Open
apragacz opened this issue Mar 19, 2019 · 4 comments
Open

Additional verification for reset password #38

apragacz opened this issue Mar 19, 2019 · 4 comments

Comments

@apragacz
Copy link
Owner

apragacz commented Mar 19, 2019

Add additonal verification to avoid spamming the user with unnecessary e-mails.

@valerymelou
Copy link

I will recommend using the email instead of the username to find the user to whom the reset password link is sent. That way only the user (and anyone who knows his email address) can request the reset password link to be sent.

@apragacz
Copy link
Owner Author

@valerymelou
I think this is a fine idea. However, I personally encounter a situation that I didn't recall which e-mail I used for given service (or whether I used a modifier, like one in gmail: [email protected]) but I remember what login I used.

Also this solution (using email instead of more general login, which could be username or email) does not solve the initial problem reported in this issue, because if the attacker knows the e-mail of the victim, he/she still can spam him. This may be less probable than knowing the username (assuming we have it in the User model), but IMO this can be solved by supplying less known information (like your exact date of birthday or your pet name).

I still think it could be a viable option (as a opt-in), so I create a separate issue for that.

@valerymelou
Copy link

For me it is more a matter of preference. The email address is more private than the username according to me. If you use this for a social network where users are identified by their username (like the one I use this package for) you can have a situation where a 1000 users know the username of another user. If just one of them decide to request a password reset link using that user's username, he can also spam him too. While the email address is not usually made public on such sites and you really have to know the person and his email to be able to spam him.

@apragacz
Copy link
Owner Author

apragacz commented May 10, 2019

This issue can be done when issue #50 is implemented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants