Open apragacz opened 5 years ago
valerymelou
commented
5 years ago I will recommend using the email instead of the username to find the user to whom the reset password link is sent. That way only the user (and anyone who knows his email address) can request the reset password link to be sent.
apragacz
commented
5 years ago @valerymelou
I think this is a fine idea. However, I personally encounter a situation that I didn't recall which e-mail I used for given service (or whether I used a modifier, like one in gmail: yourname+modifier@gmail.com) but I remember what login I used.
Also this solution (using email instead of more general login, which could be username or email) does not solve the initial problem reported in this issue, because if the attacker knows the e-mail of the victim, he/she still can spam him. This may be less probable than knowing the username (assuming we have it in the User model), but IMO this can be solved by supplying less known information (like your exact date of birthday or your pet name).
I still think it could be a viable option (as a opt-in), so I create a separate issue for that.
valerymelou
commented
5 years ago For me it is more a matter of preference. The email address is more private than the username according to me. If you use this for a social network where users are identified by their username (like the one I use this package for) you can have a situation where a 1000 users know the username of another user. If just one of them decide to request a password reset link using that user's username, he can also spam him too. While the email address is not usually made public on such sites and you really have to know the person and his email to be able to spam him.
apragacz
commented
5 years ago This issue can be done when issue #50 is implemented.
Add additonal verification to avoid spamming the user with unnecessary e-mails.