bbc2
commented
8 years ago The same applies to the "Forgot password" page as it is public.
Closed bbc2 closed 6 years ago
bbc2
commented
8 years ago The same applies to the "Forgot password" page as it is public.
lingthio
commented
6 years ago Added a USER_SHOW_USERNAME_EMAIL_DOES_NOT_EXIST setting some time ago. Fixed in v0.6 and v1.0.
The nice thing about only requiring an email and a password for registration is that you can prevent users from learning what emails are already used. To do that, you can simply just say "We sent you an email, check your inbox" whether the provided email is taken or not. However, Flask-User doesn't hide that: it says "This Email is already in use. Please try another one." if an email is taken already.
That's often not an issue but I'd really like to be able to set an option like
USER_NO_EMAIL_ENUMERATIONso that Flask-User applies the trick I mentioned above. It's not really useful is you already ask for a username because those can be enumerated anyway, but whenUSER_ENABLE_USERNAME = Falseit would be nice to have that option. What do you think?