Setting Devise to use "paranoid" mode prevents the library from enumerating users.
Prior to enabling paranoid mode a malicious user could use the "forgot password" page to fish for user emails. With paranoid mode off, entering an email of a user who does not exists returns a form validation error (Email not found,) but works for an email in the system.
With this setting set to true we'll ALWAYS make it seem that a forgot password emails is sent, limiting the amount of private date we expose to the end user.
In development letter_opener will still pop open a new tab so we'll know if password resets are behaving as they should.
Setting Devise to use "paranoid" mode prevents the library from enumerating users.
Prior to enabling paranoid mode a malicious user could use the "forgot password" page to fish for user emails. With paranoid mode off, entering an email of a user who does not exists returns a form validation error (Email not found,) but works for an email in the system.
With this setting set to true we'll ALWAYS make it seem that a forgot password emails is sent, limiting the amount of private date we expose to the end user.
In development letter_opener will still pop open a new tab so we'll know if password resets are behaving as they should.