From c0342292951c237ec5f575f2165758e4f0712e6f Mon Sep 17 00:00:00 2001 From: anhcuky <42137630+anhcuky@users.noreply.github.com> Date: Fri, 3 Jan 2025 00:37:13 +0700 Subject: [PATCH] reset_password API to always return success (#5284) --- crates/api/src/local_user/reset_password.rs | 30 +++++++++++++-------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/crates/api/src/local_user/reset_password.rs b/crates/api/src/local_user/reset_password.rs index e0f63d2e6c..20707950c4 100644 --- a/crates/api/src/local_user/reset_password.rs +++ b/crates/api/src/local_user/reset_password.rs @@ -6,23 +6,31 @@ use lemmy_api_common::{ SuccessResponse, }; use lemmy_db_views::structs::{LocalUserView, SiteView}; -use lemmy_utils::error::{LemmyErrorExt, LemmyErrorType, LemmyResult}; +use lemmy_utils::error::LemmyResult; +use tracing::error; #[tracing::instrument(skip(context))] pub async fn reset_password( data: Json, context: Data, ) -> LemmyResult> { - // Fetch that email let email = data.email.to_lowercase(); - let local_user_view = LocalUserView::find_by_email(&mut context.pool(), &email) - .await - .with_lemmy_type(LemmyErrorType::IncorrectLogin)?; - - let site_view = SiteView::read_local(&mut context.pool()).await?; - check_email_verified(&local_user_view, &site_view)?; - - // Email the pure token to the user. - send_password_reset_email(&local_user_view, &mut context.pool(), context.settings()).await?; + // For security, errors are not returned. + // https://github.com/LemmyNet/lemmy/issues/5277 + let _ = try_reset_password(&email, &context).await; Ok(Json(SuccessResponse::default())) } + +async fn try_reset_password(email: &str, context: &LemmyContext) -> LemmyResult<()> { + let local_user_view = LocalUserView::find_by_email(&mut context.pool(), email).await?; + let site_view = SiteView::read_local(&mut context.pool()).await?; + + check_email_verified(&local_user_view, &site_view)?; + if let Err(e) = + send_password_reset_email(&local_user_view, &mut context.pool(), context.settings()).await + { + error!("Failed to send password reset email: {}", e); + } + + Ok(()) +}