aaronrenner / phx_gen_auth

An authentication system generator for Phoenix 1.5 applications.
772 stars 55 forks source link

Make user enumeration prevention clearer #116

Closed mveytsman closed 3 years ago

mveytsman commented 3 years ago

Following up from a conversation in #elixir-lang on IRC today, this PR clarifies the docs a little bit about what enumeration attacks are, and adds a bit more detail to the generated comments so that the reader knows what to google when they come across this code.

I also changed the name to "User Enumeration." In my experience I've seen this attack called "user enumeration" or "account enumeration" (e.g. see https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html for example usage). I think enumeration on it's own implies something is being enumerated but it doesn't make clear what it is.

josevalim commented 3 years ago

This is fantastic! Can you please send a PR to Phoenix too? The code has already been merged, so we need to port all changes. :)

mveytsman commented 3 years ago

Ooops I just realized this is in Phoenix now.

josevalim commented 3 years ago

:green_heart: :blue_heart: :purple_heart: :yellow_heart: :heart:

mveytsman commented 3 years ago

@josevalim how are you so fast 🤯 Will add this to phoenix