Closed guidotripaldi closed 5 years ago
My only concern with this change is that we will reveal too much information if we are using "invalid token" for invalid tokens and "invalid credentials" when there is no user.
Let me think about this, and then I will get back to you soon.
Yes I understand you concern. The problem is that in production, when there are thousand users that forget their password, giving them support is a big problem if the error messages are not enough informative.
I think it would be better if we could have completely distinct messages for every single different error conditions, and let the developers choose the level of transparency to give externally to the public, having always all the information to debug users actions and errors on the private side.
This way they could, for example, make a page reserved to the customer support with the exact informations regarding the errors, while returning to the user a more generic error.
Could you send me a PR for this? I think we can handle the concerns I have by updating the documentation - but we can do that later.
Fixed in v1.2 and v2.0.0
If the user try to reset the password clicking again on the same link that was mailed to him for resetting the password after the link was already used for successfully resetting his password, the error message displayed is "Invalid Credentials", that is misinformative. The same when he click the link for the first time, but after the
max_age
was expired.This because in
Phauxth.Confirm.Report
the case is managed by this functionthat call the generic
Config.user_messages().default_error()
that issue the "Invalid Credential" string.I think that instead should be better to call something like
{:error, Config.user_messages().invalid_token()}
, defined as:If you agree with this solution, I can submit a PR