I have not been able to turn off the error message that the user hasn't verified their email address when using 'Forgotten password' functionality.
This is deemed a security issue as that response/error verifies that there is such user account compared to the lack of it when the email is invalid.
Steps:
User has forgotten password - makes a request through front-end or postman
If user's email is not verified, the response indicates so = confirms the user has an account on the system
If user is not a user, the error is 'User not found', which confirms the user isn't there.
Is there to blank out the errors by passing a configuration parameter. I've been through the documentation but haven't seen such consideration.
Penetration tests deem this to be low to medium severity issue and I was hoping there is a parameterised fix for it - similar to an always valid generic message - "Check your inbox, in case of problem, please contact support".
I have not been able to turn off the error message that the user hasn't verified their email address when using 'Forgotten password' functionality.
This is deemed a security issue as that response/error verifies that there is such user account compared to the lack of it when the email is invalid.
Steps:
Is there to blank out the errors by passing a configuration parameter. I've been through the documentation but haven't seen such consideration. Penetration tests deem this to be low to medium severity issue and I was hoping there is a parameterised fix for it - similar to an always valid generic message - "Check your inbox, in case of problem, please contact support".