This PR makes the server return a HTTP 204 No Content success response when requesting a password reset, regardless of the user existing or not, as long as the captcha (if enabled) was passed.
While this definitively hurts the user experience, it's recommended by OWASP, and even if Big Corp does it like that, they might have other tracking measures or ratelimits to prevent brute-force attacks, or might just be vulnerable as well.
Also removes the "Account disabled/scheduled for deletion" error to prevent timing attacks and instead always sends an email. Those checks (as well as MFA verification!) should be handled after the user (and therefore the access of the user to the email account) was verified.
To my knowledge, there's no Spacebar client with a "Forgot password" button nor a server template to handle password resets.
This PR makes the server return a HTTP
204 No Contentsuccess response when requesting a password reset, regardless of the user existing or not, as long as the captcha (if enabled) was passed.While this definitively hurts the user experience, it's recommended by OWASP, and even if Big Corp does it like that, they might have other tracking measures or ratelimits to prevent brute-force attacks, or might just be vulnerable as well.
Also removes the "Account disabled/scheduled for deletion" error to prevent timing attacks and instead always sends an email. Those checks (as well as MFA verification!) should be handled after the user (and therefore the access of the user to the email account) was verified.
To my knowledge, there's no Spacebar client with a "Forgot password" button nor a server template to handle password resets.