Comments (9)
Fair enough -- in my opinion though leaking that information does depend on the nature of the site. Twitter, Youtube, Facebook, might not be a huge deal. You could actually probably assume a good chunk of people already do have accounts on those sites. With a package like Fortify though you don't always know what people are building with it and in some cases leaking that information could be much more personal; imagine if someone made like... "living-with-aids.com".
I get that as developers it's up to us to know and follow best practices, but it would also be nice for a package like Fortify to follow all and advocate the best practices as well.
from fortify.
If you attempt to register an account on any app with an email address that exists you get the same result.
from fortify.
Using Twitter as grounds to dismiss a security issue is just ignorant.
Surely you're not comparing every website built with this to Twitter? Seems very detached from reality. You honestly cannot expect every small website to have the level of defence that twitter has against user enumeration spams.
In fact, as it stands you can spam this controller as long as you want and get all the emails/usernames you want even if it takes 3 months.
What about the systems that don't allow user registration and they have to be created by an admin?
This was a security issue 10 years ago. I really don't get why this is still an issue today.
from fortify.
I'm not concerned about this:
from fortify.
@bkilshaw I totally understand this.
I build apps that are used by military/government contractors that don't have registration enabled. So I always respond with a success message that looks like the following:
If an account exists with the given email address an email with a password reset link should have been sent.
You can achieve this in Fortify:
- Make sure that you are using your own routes and not Fortify's.
- Extend the
PasswordResetLinkController
controller (only the store method) to return the following:
return $status == Password::RESET_LINK_SENT
? app(SuccessfulPasswordResetLinkRequestResponse::class, ['status' => $status])
: app(SuccessfulPasswordResetLinkRequestResponse::class, ['status' => $status]);
Or simply:
return app(SuccessfulPasswordResetLinkRequestResponse::class, ['status' => $status]);
And that should do the trick! I used to do the same with laravel/ui.
Like @taylorotwell said it is not a big deal but for some people like us it is! However, the majority don't mind leaking such information. Therefore, If you have a specific use case just extend (that is why I love Laravel).
from fortify.
I'm hoping for a way to easily do this without copy-pasting the Fortify routes and overriding the controller method. It makes updating a bit less easy.
Just a hook to override the response would be great and makes updating very easy.
from fortify.
Not necessarily, especially when you're using email verification. There's no advantage to logging a user in after registration since they can't get in until they verify anyways. Ideally you display a message saying something more generic like "Thank you for your registration. Please verify your email by clicking the link in the email." This prevents exposing whether or not an email exists in the system in both the registration and password reset.
Over all by being more vague in the messaging you're able to prevent exposing user details. Hopefully Fortify can implement and advocate best practices since it's pretty much guaranteed to be widely used and can have a big impact.
from fortify.
Thanks @ali-alharthi -- that's a much more thorough way to handle it compared to what I hacked together originally!
Still holding out that they eventually update Fortify to follow the best practices out of the box, but it's nice having the ability to easily make those changes!
from fortify.
My suggestion would be to add an option to specify our own response, with a value being available to us whether it was successful or not and the form input. This allows for maximum flexibility. So we could simply redirect->back with a generic message or show a detailed message.
In my case, I would send a message back like: If an account exists for "[email protected]", you will have received a confirmation mail.
from fortify.
Related Issues (20)
- Accept pull request for adding named route for two-factor auth challenge? HOT 1
- Fortify HOT 2
- The route name for registration is not declared. HOT 2
- difficulties in updating the database schema HOT 1
- Laravel 10.10 - Cast password "hashed" HOT 3
- login limiter doesn't work actually HOT 1
- When Session based Guard is not used Logout fails HOT 3
- Integrate Precognition Into Fortify Route HOT 1
- Route [logout] not defined after changing the app_env from local to production
- Without override the PasswordResetLinkController@store we cannot add reCAPTCHA HOT 1
- Name all routes for Ziggy support when enableViews is false HOT 2
- Paths override with dot in route name does not work HOT 3
- Fortify http request methods for routes requiring multipart/form-data HOT 1
- Support for laravel passport HOT 2
- Provide "Don't ask me again on this computer" feature HOT 3
- Implementation for ActivityLogs HOT 1
- Custom Rate Limiter HOT 1
- Confusion between the username/email field in the database and the username/email field in the request (form) HOT 4
- No error message on expired token HOT 4
- Can we get a way to add additional validation rules to LoginRequest?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fortify.