In the badgeuser API BadgeUserForgotPassword() the post() function
initiates a password reset procedure. It claims in a comment:
if email_address is None:
# return 200 here because we don't want to expose information about which emails we know about
return Response(status=status.HTTP_200_OK)
and later
try:
user = UserCls.objects.get(pk=email_address.user_id)
except UserCls.DoesNotExist:
return Response(status=status.HTTP_200_OK)
The problem is that the early HTTP_200_OK responses create a timing side-channel. Admittedly it is a bit noisy since the target gets a password reset email.
In the badgeuser API
BadgeUserForgotPassword()
thepost()
function initiates a password reset procedure. It claims in a comment:and later
and then later when everything is alright:
The problem is that the early HTTP_200_OK responses create a timing side-channel. Admittedly it is a bit noisy since the target gets a password reset email.