Update password reset copy so as not to reveal whether the email exists

A malicious user could use this to test which email addresses are in the user database.
2024-05-28 13:18:14 +00:00 · 2022-07-06 19:34:00 -07:00 · 2022-07-06 19:34:00 -07:00 · fd5e513ad6
parent 96bf99034c
commit fd5e513ad6
3 changed files with 10 additions and 5 deletions
--- a/bookwyrm/settings.py
+++ b/bookwyrm/settings.py
@ -11,7 +11,7 @@ from django.utils.translation import gettext_lazy as _
 env = Env()
 env.read_env()
 DOMAIN = env("DOMAIN")
-VERSION = "0.4.1"
+VERSION = "0.4.2"

 RELEASE_API = env(
    "RELEASE_API",
--- a/bookwyrm/templates/landing/password_reset_request.html
+++ b/bookwyrm/templates/landing/password_reset_request.html
@ -9,7 +9,13 @@
        <div class="block">
            <h1 class="title">{% trans "Reset Password" %}</h1>

-            {% if message %}<p class="notification is-primary">{{ message }}</p>{% endif %}
+            {% if sent_message %}
+            <p class="notification is-primary">
+            {% blocktrans trimmed %}
+            A password reset link will be sent to <strong>{{ email }}</strong> if there is an account using that email address.
+            {% endblocktrans %}
+            </p>
+            {% endif %}

            <p>{% trans "A link to reset your password will be sent to your email address" %}</p>
            <form name="password-reset" method="post" action="/password-reset">
--- a/bookwyrm/views/landing/password.py
+++ b/bookwyrm/views/landing/password.py
@ -3,7 +3,6 @@ from django.contrib.auth import login
 from django.core.exceptions import PermissionDenied
 from django.shortcuts import redirect
 from django.template.response import TemplateResponse
-from django.utils.translation import gettext_lazy as _
 from django.views import View

 from bookwyrm import models
@ -24,12 +23,13 @@ class PasswordResetRequest(View):
    def post(self, request):
        """create a password reset token"""
        email = request.POST.get("email")
+        data = {"sent_message": True, "email": email}
        try:
            user = models.User.viewer_aware_objects(request.user).get(
                email=email, email__isnull=False
            )
        except models.User.DoesNotExist:
-            data = {"error": _("No user with that email address was found.")}
+            # Showing an error message would leak whether or not this email is in use
            return TemplateResponse(
                request, "landing/password_reset_request.html", data
            )
@ -40,7 +40,6 @@ class PasswordResetRequest(View):
        # create a new reset code
        code = models.PasswordReset.objects.create(user=user)
        password_reset_email(code)
-        data = {"message": _(f"A password reset link was sent to {email}")}
        return TemplateResponse(request, "landing/password_reset_request.html", data)