An attacker may use the "forgot-password" request to know whether an account with the targeted email exists or not.
Whether the email is in use or not, the requestor should probably receive the same response.
Something like this:
export const generateResetPasswordToken = async (email: string): Promise<string> => {
const user = await userService.getUserByEmail(email);
if (!user) {
// While it's an error, the form submitter will not know and will receive a pseudo-success message
throw new ApiError(
httpStatus.OK,
'If this email is registered, it will receive the instructions on resetting the password.'
);
}
const expires = moment().add(config.jwt.resetPasswordExpirationMinutes, 'minutes');
const resetPasswordToken = generateToken(user.id, expires, tokenTypes.RESET_PASSWORD);
await saveToken(resetPasswordToken, user.id, expires, tokenTypes.RESET_PASSWORD);
return resetPasswordToken;
};
An attacker may use the "forgot-password" request to know whether an account with the targeted email exists or not. Whether the email is in use or not, the requestor should probably receive the same response. Something like this: