Return an error message if the user doesn't exist inside ReviseAuth::PasswordResetsController #84

ahmadabdelhalim · 2024-06-10T16:22:17Z

ahmadabdelhalim
Jun 10, 2024

Hello,

So I was reviewing the code and taking a look inside ReviseAuth::PasswordResetsController

I noticed that in the create action, you're ignoring cases where the user enters an incorrect email and no error message is returned.

  def create
    user = User.find_by(email: user_params[:email])
    user&.send_password_reset_instructions

    flash[:notice] = t(".password_reset_sent")
    redirect_to login_path
  end

shouldn't we return an error message instead of using the safe navigation operator?

Answered by excid3

Jun 10, 2024

No, the general best practice here is to send the same message either way. It helps prevent people checking if an account is registered with that email if someone is trying to do malicious things.

View full answer

excid3 · 2024-06-10T16:25:48Z

excid3
Jun 10, 2024
Maintainer

No, the general best practice here is to send the same message either way. It helps prevent people checking if an account is registered with that email if someone is trying to do malicious things.

1 reply

ahmadabdelhalim Jun 10, 2024
Author

that makes sense. closing this one

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Return an error message if the user doesn't exist inside ReviseAuth::PasswordResetsController #84

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Return an error message if the user doesn't exist inside ReviseAuth::PasswordResetsController #84

ahmadabdelhalim Jun 10, 2024

Replies: 1 comment · 1 reply

excid3 Jun 10, 2024 Maintainer

ahmadabdelhalim Jun 10, 2024 Author

ahmadabdelhalim
Jun 10, 2024

Replies: 1 comment 1 reply

excid3
Jun 10, 2024
Maintainer

ahmadabdelhalim Jun 10, 2024
Author