Closed egmfrs closed 6 years ago
We'd consider this giving away a little too much information to a potential attacker I'm afraid.
@blowdart thanks for the confirmation. Could you possibly elaborate on how an attacker could use a "token expired" response to their advantage?
You'd be confirming the token was once valid, and that it's in the correct format. Think about it like returning an error from a login screen. You don't say "We don't know that login ID" or "That password expired ages ago, you have a new one", we just return "Login is invalid"
Is there a way to do this? Like an error code that will return when the email confirmation token has expired? For example if the error code was "TokenExpired" I could use the following to return the user to a specific view which gives them advice on a process to follow if their token has expired: