Closed alexburner closed 1 year ago
For posterity, we were able to override this with a custom form:
mysite/forms.py
from allauth.account.forms import ResetPasswordForm
class CustomResetPasswordForm(ResetPasswordForm):
def save(self, request, **kwargs):
email = self.cleaned_data["email"]
if self.users:
self._send_password_reset_mail(request, email, self.users, **kwargs)
return email
settings.py
ACCOUNT_FORMS = {'reset_password': 'mysite.forms.CustomResetPasswordForm'}
It's worth noting that the allauth
documentation recommends against skipping super()
like this:
# Ensure you call the parent class's save.
The password reset is rate limited, mitigating the ability for a bad actor to spam like this.
The attack vector you are describing is not addressable by changing the password reset. The bad actor could just as well spam the signup page, that will result in sending email verification mails as well. But, that is rate limited as well.
So all in all, the issue is not fixable by focusing solely on the password reset. Built-in rate limiting already mitigates this. If that is not enough, you would need to resort to using a captcha system.
just as a heads up to others trying the above workaround from @alexburner and running into circular import issues, I ended up bypassing the email sending to unknown accounts in another way: https://github.com/bornhack/bornhack-website/commit/3c8e0aedbcf0c6897a25a558abd6b0acb96c8b0f
ps. we already have a captcha of sorts on the signup form but the pw reset form was getting spammed
Related issue: https://github.com/pennersr/django-allauth/issues/2360
My team just discovered this vulnerability — currently, a user can enter any email address in the password reset form, and that address will receive an email from our system.
⚠️ This means a bad actor could "spam" a large number of addresses with these emails, and tank our domain reputation ⚠️
I understand that the
ResetPasswordForm
should submit successfully regardless, withACCOUNT_PREVENT_ENUMERATION=True
, to prevent users from determining who's registered with the system.But why send actually send an email to these unknown addresses? Couldn't
allauth
just fail silently, in that case?I see the
_send_unknown_account_mail
method got added in the originalACCOUNT_PREVENT_ENUMERATION
commit: https://github.com/pennersr/django-allauth/commit/7a719b64154840a8c6ff5c4301568f897721fcc0#diff-aca468f72aa7648b36b8ee86a25c3ade350120bc2769cd875e418b1f50574935R536Could we get an additional configuration flag, such as
SEND_PASSWORD_RESET_TO_UNKNOWN_ADDRESSES=False
, to prevent this behavior?