chore: disallow password resets to unverified email #18088
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
miketheman
added
security
|
not the solution any longer
|
di
reviewed
May 6, 2025
di
reviewed
May 6, 2025
miketheman
force-pushed
the
miketheman/disallow-password-resets-for-unverified-emails
branch
from
f883bbc to
c193714
Compare
|
Sample email notice, HTML rendered:
|
di
reviewed
May 8, 2025
warehouse/templates/email/password-reset-unverified/subject.txt
Outdated
Show resolved
Hide resolved
miketheman
commented
May 8, 2025
Comment on lines
+2174
to
+2177
| [ | ||
| "email", | ||
| "username", | ||
| ], |
There was a problem hiding this comment.
This was the material change to the unverified tests from the previous version - now this test takes either of these as an input.
di
approved these changes
May 9, 2025
Only allow account resets to verified email addresses to prevent account domain resurrection attacks. Signed-off-by: Mike Fiedler <[email protected]>
If the user account exists for a given email address, check if the account is verified. If it's not, reject with a flash message. Signed-off-by: Mike Fiedler <[email protected]>
Signed-off-by: Mike Fiedler <[email protected]>
Signed-off-by: Mike Fiedler <[email protected]>
Signed-off-by: Mike Fiedler <[email protected]>
Signed-off-by: Mike Fiedler <[email protected]>
Signed-off-by: Mike Fiedler <[email protected]>
miketheman
force-pushed
the
miketheman/disallow-password-resets-for-unverified-emails
branch
from
90f6e3b to
402a9f7
Compare
miketheman
deleted the
miketheman/disallow-password-resets-for-unverified-emails
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Only allow account resets to verified email addresses to prevent account
domain resurrection attacks.
If the user account exists for a given email address, check if the
account is verified. If it's not, reject with a flash message.
Does not disclose the name of a given user account, logs an event/warning for inspection.