Skip to content

Set dummy resetRequest cookie on password reset errors to prevent username/email enumeration (TypeScript). #1602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zeropath-ai-dev wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Set dummy resetRequest cookie on password reset errors to prevent username/email enumeration (TypeScript). #1602

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1bd494f
fix: replace specific 401 response with generic error handling
Aug 14, 2025
4453226
fix: set dummy resetRequest cookie to prevent username/email enumeration
Aug 14, 2025
6ff6eeb
fix: correct search/replace block in resetPassword route handling
Aug 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion routes/resetPassword.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,17 +14,24 @@ import challengeUtils = require('../lib/challengeUtils')
const users = require('../data/datacache').users
const security = require('../lib/insecurity')

function setResetRequestCookie(res: Response) {
res.cookie('resetRequest', '1', { maxAge: 600000, httpOnly: true, sameSite: 'Strict' })
}

module.exports = function resetPassword () {
return ({ body, connection }: Request, res: Response, next: NextFunction) => {
const email = body.email
const answer = body.answer
const newPassword = body.new
const repeatPassword = body.repeat
if (!email || !answer) {
setResetRequestCookie(res)
next(new Error('Blocked illegal activity by ' + connection.remoteAddress))
} else if (!newPassword || newPassword === 'undefined') {
setResetRequestCookie(res)
res.status(401).send(res.__('Password cannot be empty.'))
} else if (newPassword !== repeatPassword) {
setResetRequestCookie(res)
res.status(401).send(res.__('New and repeated password do not match.'))
} else {
SecurityAnswerModel.findOne({
Expand All @@ -37,6 +44,7 @@ module.exports = function resetPassword () {
UserModel.findByPk(data.UserId).then((user: UserModel | null) => {
user?.update({ password: newPassword }).then((user: UserModel) => {
verifySecurityAnswerChallenges(user, answer)
setResetRequestCookie(res)
res.json({ user })
}).catch((error: unknown) => {
next(error)
Expand All @@ -45,9 +53,10 @@ module.exports = function resetPassword () {
next(error)
})
} else {
res.status(401).send(res.__('Wrong answer to security question.'))
next(new Error('Blocked illegal activity by ' + connection.remoteAddress))
}
}).catch((error: unknown) => {
setResetRequestCookie(res)
next(error)
})
}
Expand Down