Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Existence of user account queryable through password reset #18475

Open
mvdbeek opened this issue Jul 1, 2024 · 6 comments
Open

Existence of user account queryable through password reset #18475

mvdbeek opened this issue Jul 1, 2024 · 6 comments
Assignees
@ahmedhamidawan
Labels
area/backend kind/bug

Comments

@mvdbeek
Copy link
Member

mvdbeek commented Jul 1, 2024 

          Is this message getting out of the API ? We should never reveal whether or not a user exists at an instance, that's a security and privacy concern.

Originally posted by @mvdbeek in #18459 (comment)
@martenson
Copy link
Member

Nice catch. I remember we have fixed this long ago, but seems we reintroduced it.

@ahmedhamidawan ahmedhamidawan self-assigned this Jul 1, 2024
ahmedhamidawan added a commit to ahmedhamidawan/galaxy that referenced this issue Jul 1, 2024
@ahmedhamidawan
[24.0] Return generic message for password reset email
4f5f8de 
This prevents existence of a user account from being queryable through password reset. We now return `None` and display a generic message regardless of a prt being created or not.

Fixes galaxyproject#18475
@ahmedhamidawan ahmedhamidawan mentioned this issue Jul 1, 2024
Open
4 tasks
@dannon
Copy link
Member

dannon commented Jul 1, 2024

I think it's reasonable to change the message here, but I just want to point out that if we really want to prevent leaking emails we would have to significantly change (impede) how registration works, explicitly putting the activation email in the required loop (i.e. -- you can't just register and immediately be logged in, you must click the link in the email to start your first session). Without this, the act of registering an already registered email leaks as well.

@jdavcs
Copy link
Member

jdavcs commented Jul 1, 2024

This is a good point. So, how do we communicate to a user who has an account but may have forgotten about it and is trying to register again? Should the system send an email informing that user that they have an account and ask whether they want to reset their password? Plus, display a generic message, e.g. "an activation message has been sent to the provided email address"?

@martenson
Copy link
Member

The two tricky parts while tightening this seem to be:

  • the automatic login after registration; This likely needs to be disabled otherwise it will give up the information whether the account exists.
  • the instances without user activation enabled; I don't see a good solution here.

@nsoranzo
Copy link
Member

nsoranzo commented Jul 2, 2024 

* the instances without user activation enabled; I don't see a good solution here.

I think that's fine, it's probably only small or behind-firewall instances that don't have user activation enabled. We can still mention in the user activation settings that having it disabled allows this information leak mechanism.

@martenson
Copy link
Member

martenson commented Jul 2, 2024
edited
Loading

We could also consider enabling activation by default. Or at least heartily recommend it for production settings since it complicates basic setup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ahmedhamidawan ahmedhamidawan

Labels
area/backend kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@dannon @martenson @nsoranzo @jdavcs @mvdbeek @ahmedhamidawan