PaulAsjes
commented
6 months ago Thanks for the report, we're looking into this!
Closed ntabris closed 6 months ago
PaulAsjes
commented
6 months ago Thanks for the report, we're looking into this!
benoitgrelard
commented
6 months ago Hi @ntabris this has been fixed and is now deployed.
ntabris
commented
6 months ago Thanks for addressing this so quickly! It appears that now the page says a password reset email was sent:
But in fact no email is sent, and the user will expect such an email and not realize they need to sign up for a new account.
Contrast this with, e.g., the Microsoft flow that tells you there's no account for your email when that's the case:
benoitgrelard
commented
6 months ago Yes that is correct, and is the intended behaviour for security reason as we don't want to leak the fact that a user exists or not based on an email address. Otherwise it could be an attack vector to brute-force check user existence like this.
ntabris
commented
6 months ago Yeah, if you confirm email existence, presumably you need to rely on other mechanisms (bot detection?) to mitigate brute-force check of user existence. I'd assume Microsoft is doing something like that.
That said, I'm worried about UX if the user incorrectly thinks they have an account and everything AuthKit says indicates that they do.
One solution here would be to send email that isn't reset email, but is a "you don't have an account already" email.
Another solution would be to have the AuthKit message something that includes something along the lines of if you don't have an account with this email, you'll need to <link>sign up</link>.
(I'll note that this isn't a dealbreaker for us in whether or not to use WorkOS, but it is a concern, especially since it doesn't appear that WorkOS gives us any notification of failed sign in attempts.)
benoitgrelard
commented
6 months ago Thanks for the feedback, we'll take another pass on it and update the messaging.
benoitgrelard
commented
6 months ago Hi @ntabris, we have taken your feedback onboard and updated the messaging as a compromise. This is now deployed.
ntabris
commented
6 months ago @benoitgrelard thanks! I really appreciate how responsive you've been.
I'm trying out the hosted AuthKit with WorkOS, since that would be much easier for us to use than building our own auth flows.
If I use the sign-in page and enter an email that doesn't match existing user, and then click "Forgot your password?" and then "Send reset instructions", I get a server error:
Url for this page is
https://<our staging subdomain>.authkit.app/reset-password?email=<email that doesn't match exiting user>&redirect_uri=<our redirect uri>.This seems like a bug since people wouldn't understand what went wrong and this wouldn't be a great experience.