jeremyevans
commented
3 years ago It's basically impossible to avoid user enumeration attacks (usually they are vulnerable to timing attacks), so Rodauth doesn't try to give you a false sense of security by attempting it. Additionally, trying to make enumeration more difficult (invalid login or password instead of invalid login) significantly hurts usability, because actual users that typo their logins aren't informed which of the two is the problem. So this isn't a feature that I'm interesting in having in Rodauth. You are always free to develop it as an external Rodauth feature, which Rodauth can load automatically.
As described in the contribution guidelines, GitHub Issues should only be used to report bugs in Rodauth. If you have further questions about Rodauth, please ask them on the Google Group. Only use GitHub Issues to file bug reports.
basabin54
Hello! 👋
I've been digging through the docs and the codebase and I can't find anything on this, so hopefully someone can help me.
Is there any way to do paranoid errors in the login/reset password request flows like devise's paranoid mode to prevent email harvesting/user enumeration hacks?: https://github.com/heartcombo/devise/wiki/How-To:-Using-paranoid-mode,-avoid-user-enumeration-on-registerable
If not, is this a feature that you all would be interested in? I'd be willing to work on it.
Thanks!