fusionauth-issues
fusionauth-issues copied to clipboard
FusionAuth
Forgot Password not showing success for user with no email
Forgot Password not showing success for user with no email
Description
When using the hosted Forgot Password page, if you enter the username of a user that exists but does not have an email address, the page simply refreshes.
Looking at the responses, the POST /password/forgot is returning a 200 with the response body containing the Forgot Password page:
Request Method: POST
Status Code: 200
Affects versions
1.36.8
Steps to reproduce
Steps to reproduce the behavior:
- Go to
/password/forgot - Enter the username of a user that exists but has no email address
- Click the button
Expected behavior
I would expect that all outcomes return the success screen regardless of whether or not the email was actually sent, in order to not reveal whether the user does or does not exist.
Expected Response:
Request Method: POST
Status Code: 302
location: /password/sent?...
Platform
- Device: PC
- OS: Linux (pop_os)
- Browser: Chrome
- Database: postgres
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
Following scenarios all correctly show the success screen:
- Username entered, user exists and has email
- Username entered, user does not exist
- Email entered, user does not exist
- Email entered, user exists
I have also verified this behaviour with a default instance of FusionAuth. I don't see anything in either the Event Logs or the FusionAuth logs related to it.
