Skip to content
This repository was archived by the owner on Jul 12, 2023. It is now read-only.

Suppress user-not-found error #624

Merged
merged 1 commit into from
Sep 21, 2020
Merged

Suppress user-not-found error #624

merged 1 commit into from
Sep 21, 2020

Conversation

whaught
Copy link
Contributor

@whaught whaught commented Sep 21, 2020
edited
Loading

Proposed Changes

  • Respond the same for users who's emails are not found
  • This won't fool anyone savvy - we need to be either:
  1. sending these from our own SMTP server
  2. find a firebase toggle that disables this response
  3. run all firebase from node.js in a function as a proxy, filter server side, keep the firebase api key secret

@google-cla google-cla bot added the cla: yes Auto: added by CLA bot when all committers have signed a CLA. label Sep 21, 2020
sethvargo
sethvargo approved these changes Sep 21, 2020
View reviewed changes
Copy link
Member

@sethvargo sethvargo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

cmd/server/assets/login/reset-password.html
@@ -70,8 +70,12 @@
flash.alert('Password reset email sent.');
}).catch(function(error) {
flash.clear();
flash.error(error.message);
$submit.prop('disabled', false);
if (error.code = "auth/user-not-found") {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So... this fixes the issue, but it doesn't actually stop anyone with a Web Inspector. You can still see the response sent.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should always say something like - "check your email for your reset password link" and leave it at that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean the response from calling the firebase API - until this is all server side, someone can just look at what firebase is returning. Or they could just talk to firebase directly with our API key.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what I was talking about in the description. We need an SMTP server to send mail if we want to do it ourselves or we could wrap it all in a node.js cloud function (gross).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean. The other option is to bundle the node.js runtime into our container and exec...

@google-oss-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sethvargo, whaught

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-robot google-oss-robot merged commit 0525fd6 into google:main Sep 21, 2020
@whaught whaught deleted the fake-security branch September 22, 2020 16:00
@google google locked and limited conversation to collaborators Oct 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mikehelmick mikehelmick mikehelmick left review comments

@sethvargo sethvargo sethvargo approved these changes

@jeremyfaller jeremyfaller Awaiting requested review from jeremyfaller

Assignees

@sethvargo sethvargo

Labels
cla: yes Auto: added by CLA bot when all committers have signed a CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@whaught @google-oss-robot @mikehelmick @sethvargo