vincentchalamon
commented
1 year ago Hi @jbmsubhash,
Glad you're using this bundle :-) But I think you're missing some important security points implemented in this bundle.
The POST /forgot-password/ route is the first one to be called in the process. You have 2 use cases:
- you send a valid email address: you're supposed to create an EventListener to listen to a bundle event in order to send an email (cf. related doc);
- you send an invalid email address: no bundle event is triggered, so your EventListener is not called here.
In both use case, we're supposed to return an empty response.
What if we create a token in this route, and return it? Well, this is not the purpose of this route! A validation of the user (for example, by sending him a validation link to his email address) must be done first.
Bypassing this validation will be a security issue as you're not sure of the user requesting this password renewal.
Returning the token directly from this response (after checking the user with this email exists in the database) will be a security issue too as we're providing an information such as "hey, this user exists in my database!".
Please follow the documentation carefully:
- install and configure the bundle
- use this bundle for your own usage
- increase security by ensuring the user is not authenticated
- (optionnal) configure your own manager (if you're not using Doctrine)
In addition, I highly recommend you to have a look at the Forgot Password OWASP Cheat Sheet.
jbmsubhash
Describe the bug When I hit the endpoint
forgot-password/it returns me a 204 error without any logs. There are no tokens are being created in the table.To Reproduce Installed the package and the configuration done many times. It is the same.
Expected behavior A clear and concise description of what you expected to happen.
Screenshots packages/coop_tilleuls_forgot_password.yaml
routes/coop_tilleuls_forgot_password.yaml
Entity
Request for an invalid email
Happy to provide further information if required.