• Robert Speicher's avatar
    Merge branch 'devise_paranoid_mode' into 'master' · 0c0854c8
    Robert Speicher authored
    Enable Devise paranoid mode and ensure the returned message is the same
    every time. This will prevent user enumeration (low impact). 
    
    Prior to this change a user could type an email in the password reset
    field and if the email didn't exist it returned an error. If the email
    was valid it returned a message saying the forgot password link had been
    emailed. After this change the user will receive a message that if the
    email is in our database the reset link will be emailed. 
    
    I also changed the throttle mechanism so it still works the same but
    now returns the exact same message as above. Previously it would say
    'You've already sent a request. Wait a few minutes'. This also allows
    user enumeration, although it requires a double-check.
    
    Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624
    
    See merge request !2044
    0c0854c8
password_reset_spec.rb 1.49 KB