Insecure message in forum login page

SanderMa · December 29, 2022, 6:41am

When requesting an email link for an account the page tells if the address exists. This is insecure and unneeded. It should be changed to a generic message “if the address is known we have sent you a link to login”

Best regards,
Sander Mathijssen

Apologies if this is not the correct place for forum bug reports

Junyi_Du · December 29, 2022, 2:38pm

Thanks. Is there any setting option / switch for Discourse?

I find this but it’s hard to change if the logic is hard-coded:

github.com

discourse/discourse/blob/main/config/locales/client.en.yml#L2101


      
            action: "I forgot my password"
            invite: "Enter your username or email address, and we'll send you a password reset email."
            invite_no_username: "Enter your email address, and we'll send you a password reset email."
            reset: "Reset Password"
            complete_username: "If an account matches the username <b>%{username}</b>, you should receive an email with instructions on how to reset your password shortly."
            complete_email: "If an account matches <b>%{email}</b>, you should receive an email with instructions on how to reset your password shortly."
            complete_username_found: "We found an account that matches the username <b>%{username}</b>. You should receive an email with instructions on how to reset your password shortly."
            complete_email_found: "We found an account that matches <b>%{email}</b>. You should receive an email with instructions on how to reset your password shortly."
          
          
  complete_username_not_found: "No account matches the username <b>%{username}</b>"
            complete_email_not_found: "No account matches <b>%{email}</b>"
            help: "Email not arriving? Be sure to check your spam folder first.<p>Not sure which email address you used? Enter an email address and we’ll let you know if it exists here.</p><p>If you no longer have access to the email address on your account, please contact <a href='%{basePath}/about'>our helpful staff.</a></p>"
            button_ok: "OK"
            button_help: "Help"
          
          
email_login:
            link_label: "Email me a login link"
            button_label: "with email"
            login_link: "Skip the password; email me a login link"
            emoji: "lock emoji"
            complete_username: "If an account matches the username <b>%{username}</b>, you should receive an email with a login link shortly."

SanderMa · December 30, 2022, 9:20am

The config file of the server should contain that option configured. If we change it to line 2096 it will not tell you if it exists.

SanderMa · December 30, 2022, 9:27am

Or perhaps this should be an issue in the Discourse repo?