Environment:
In development environment, using preloaded dataset.
Steps to reproduce:
1) Request via POST to the /password-reset/ endpoint for a known user's email.
{
"email": "chicommons@chicommons.com"
}
2) Confirm you get a 200 HTTP response. Observe the response.
{
"message": "Password reset link has been sent to your email."
}
3) Request via POST to the /password-reset/ endpoint for an email not associated with a known user.
{
"email": "max@chicommons.com"
}
4) Confirm you get a 404 HTTP response. Observe the response
{
"error": "User not found."
}
Expected Behavior:/password-reset should return the same message regardless if the requested user's email is associated with an account or not. By providing different messages, is a security concern that could leak emails to a third party.
Environment: In development environment, using preloaded dataset.
Steps to reproduce: 1) Request via POST to the
/password-reset/endpoint for a known user's email.2) Confirm you get a
200HTTP response. Observe the response.3) Request via POST to the
/password-reset/endpoint for an email not associated with a known user.4) Confirm you get a
404HTTP response. Observe the responseExpected Behavior:
/password-resetshould return the same message regardless if the requested user's email is associated with an account or not. By providing different messages, is a security concern that could leak emails to a third party.