LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f4538ae2c56b486c20983228cfebc883b112ea00
leadchat/config
History
João Pedro Baza Garcia Rodrigues 4d362da9f0 fix: Prevent user enumeration on password reset endpoint (#13528) 
## Description

The current password reset endpoint returns different HTTP status codes
and messages depending on whether the email exists in the system (200
for existing emails, 404 for non-existing ones). This allows attackers
to enumerate valid email addresses via the password reset form.

## Changes

### `app/controllers/devise_overrides/passwords_controller.rb`
- Removed the `if/else` branch that returned different responses based
on email existence
- Now always returns a generic `200 OK` response with the same message
regardless of whether the email exists
- Uses safe navigation operator (`&.`) to send reset instructions only
if the user exists

### `config/locales/en.yml`
- Consolidated `reset_password_success` and `reset_password_failure`
into a single generic `reset_password` key
- New message does not reveal whether the email exists in the system

## Security Impact
- **Before**: An attacker could determine if an email was registered by
observing the HTTP status code (200 vs 404) and response message
- **After**: All requests receive the same 200 response with a generic
message, preventing user enumeration

This follows [OWASP guidelines for authentication error
messages](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-responses).

Fixes #13527
2026-02-13 13:45:40 +05:30
..
agents
feat: add more tools (#12116)
2025-08-08 17:57:30 +05:30
environments
chore: Improvements to codespaces (#11635)
2025-05-29 21:18:02 -06:00
initializers
fix: velma connection limit (#13395)
2026-01-29 20:53:41 +05:30
integration
feat: notion OAuth setup (#11765)
2025-06-26 19:16:06 +05:30
languages
feat: Updated public portal header design (#8089)
2023-11-08 17:56:59 -08:00
locales
fix: Prevent user enumeration on password reset endpoint (#13528)
2026-02-13 13:45:40 +05:30
app.yml
Bump version to 4.10.1
2026-01-20 08:43:11 -08:00
application.rb
Revert "chore: Upgrade Rails to 7.2.2 and update Gemfile dependencies (#11037)"
2026-02-03 21:09:42 -08:00
boot.rb
Upgrade to rails 6 💎 (#11)
2019-08-19 13:49:57 +05:30
cable.yml
fix: Redis 6 on Heroku breaks ActionCable config (#4269)
2022-03-24 19:25:07 +05:30
database.yml
perf: enable active record connection pool reaper (#10866)
2025-03-17 19:27:05 -07:00
elastic_apm.yml
chore: Support for Elastic APM (#5004)
2022-07-22 11:39:37 +02:00
environment.rb
Initial Commit
2019-08-14 15:18:44 +05:30
features.yml
fix: V2 Assignment service enhancements (#13036)
2026-02-11 12:24:45 +05:30
installation_config.yml
feat: add per-account daily rate limit for outbound emails (#13411)
2026-02-03 02:06:51 +05:30
llm.yml
feat: add global config for captain settings (#13141)
2026-01-12 19:54:19 +05:30
markdown_embeds.yml
fix: Update Arcade embed aspect ratio (#12923)
2025-11-24 20:22:27 +05:30
newrelic.yml
fix: logic error when setting new relic logging forwarding (#8687)
2024-01-11 21:05:04 +05:30
puma.rb
chore: Fix puma configuration (#5023)
2022-07-12 12:27:33 +02:00
rds-ca-2019-root.pem
chore: add aws rds root cert for tls connection (#3812)
2022-02-01 16:01:25 +05:30
routes.rb
feat: Add standalone outgoing messages count API endpoint (#13419)
2026-02-04 19:36:50 +05:30
schedule.yml
chore: temporarily disable ProcessStaleContactsJob (#13462)
2026-02-06 13:27:51 +05:30
scout_apm.yml
chore: Load only required APMs (#6497)
2023-03-01 14:31:51 +05:30
secrets.yml
Use secret_key_base from env
2019-08-15 23:08:36 +05:30
sidekiq.yml
chore: add script to throttle bulkreindex job creation and increase meta timeouts(#12626)
2025-10-13 16:21:45 +05:30
spring.rb
🚨Fix Rubocop lint errors
2019-10-20 14:17:26 +05:30
storage.yml
Revert "chore: Upgrade Rails to 7.2.2 and update Gemfile dependencies (#11037)"
2026-02-03 21:09:42 -08:00
vite.json
feat: Vite + vue 3 💚 (#10047)
2024-10-02 00:36:30 -07:00