reset_password API to always return success (#5284)

crates/api/src/local_user/reset_password.rs

@@ -6,23 +6,31 @@ use lemmy_api_common::{
   SuccessResponse,
 };
 use lemmy_db_views::structs::{LocalUserView, SiteView};
-use lemmy_utils::error::{LemmyErrorExt, LemmyErrorType, LemmyResult};
+use lemmy_utils::error::LemmyResult;
+use tracing::error;
 
 #[tracing::instrument(skip(context))]
 pub async fn reset_password(
   data: Json<PasswordReset>,
   context: Data<LemmyContext>,
 ) -> LemmyResult<Json<SuccessResponse>> {
-  // Fetch that email
   let email = data.email.to_lowercase();
-  let local_user_view = LocalUserView::find_by_email(&mut context.pool(), &email)
-    .await
-    .with_lemmy_type(LemmyErrorType::IncorrectLogin)?;
-
-  let site_view = SiteView::read_local(&mut context.pool()).await?;
-  check_email_verified(&local_user_view, &site_view)?;
-
-  // Email the pure token to the user.
-  send_password_reset_email(&local_user_view, &mut context.pool(), context.settings()).await?;
+  // For security, errors are not returned.
+  // https://github.com/LemmyNet/lemmy/issues/5277
+  let _ = try_reset_password(&email, &context).await;
   Ok(Json(SuccessResponse::default()))
 }
+
+async fn try_reset_password(email: &str, context: &LemmyContext) -> LemmyResult<()> {
+  let local_user_view = LocalUserView::find_by_email(&mut context.pool(), email).await?;
+  let site_view = SiteView::read_local(&mut context.pool()).await?;
+
+  check_email_verified(&local_user_view, &site_view)?;
+  if let Err(e) =
+    send_password_reset_email(&local_user_view, &mut context.pool(), context.settings()).await
+  {
+    error!("Failed to send password reset email: {}", e);
+  }
+
+  Ok(())
+}