I've a Rails Nuxt project with an account recovery flow.
One scenario happens when the User forgets his registered email and the password. The User can be remembered about the his email by submitting his account id. Rails then respond with the User's id and the obfuscated version of the email.
At this moment, the User already know his email, but not his password. So he click on the "Remember Password" button.
By default, Devise (the auth lib) expect the full email submitting (not an obfuscated) in order to generate and send the recover link to the User. But at this moment, only the obfuscated email is available, and I don't want to bother the User to fill up the complete email, cause I already know who he are (from the account id).
Said that, I want to know whether there are some security concern about overriding the Devise's method below in order to send the recover token by using the User's id instead the email?
# Attempt to find a user by its email. If a record is found, send new
# password instructions to it. If user is not found, returns a new user
# with an email not found error.
# Attributes must contain the user's email
def send_reset_password_instructions(attributes = {})
recoverable = find_or_initialize_with_errors(reset_password_keys, attributes, :not_found)
recoverable.send_reset_password_instructions if recoverable.persisted?
recoverable
end
https://github.com/heartcombo/devise/blob/main/lib/devise/models/recoverable.rb
CodePudding user response:
I see no difference in security between supllying an email or any other user id, if eventually you send the reset password to the email address related to the user that exists in the database
CodePudding user response:
There is a moderate risk here for vulnerabilities like username enumeration. Account IDs tend to be more predictable than email addresses, so as your userbase grows you will have an increased risk of someone abusing this to enumerate accounts.
You can mitigate some of the risk by using reCAPTCHA or requiring another factor of known information, or both.
It's also important to point out the difference between this feature and a traditional reset function. The reset functionality can prevent harvesting attacks by responding exactly the same for valid and invalid emails. For example:
If the email you provided is valid, a password reset link has been sent.
This recovery feature does not have that ability.