You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/12/02 23:42:09 UTC

[GitHub] [trafficcontrol] ocket8888 opened a new issue #6399: /user/reset_password shouldn't disclose whether an email exists

ocket8888 opened a new issue #6399:
URL: https://github.com/apache/trafficcontrol/issues/6399


   ## This Improvement request (usability, performance, tech debt, etc.) affects these Traffic Control components:
   - Traffic Ops
   
   ## Current behavior:
   If a user requests a password reset for an email address not associated with any Traffic Ops user, the `/user/reset_password` endpoint responds with a client error and a message that no such user was found.
   
   ## New behavior:
   Instead of telling the client whether such a user exists, the API should just always respond with a success and a success-level alert that says e.g. `if a user with that email was found, a password reset email has been sent to them`. Just exposes less information at no real cost.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org