FEATURE: hide_email_address_taken forces use of email in forgot password form (#15362)

* FEATURE: hide_email_address_taken forces use of email in forgot password form This strengthens this site setting which is meant to be used to harden sites that are experiencing abuse on forgot password routes. Previously we would only deny letting people know if forgot password worked on not New change also bans usage of username for forgot password when enabled
2025-06-01 01:05:11 +08:00 · 2021-12-20 12:54:10 +11:00
parent 1cdb5b7e4a
commit b6c3e9aa03
7 changed files with 51 additions and 7 deletions
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@ -2058,6 +2058,29 @@ describe SessionController do
  end

  describe '#forgot_password' do
+
+    context 'when hide_email_address_taken is set' do
+      before do
+        SiteSetting.hide_email_address_taken = true
+      end
+
+      it 'denies for username' do
+        post "/session/forgot_password.json",
+          params: { login: user.username }
+
+        expect(response.status).to eq(200)
+        expect(Jobs::CriticalUserEmail.jobs.size).to eq(0)
+      end
+
+      it 'allows for email' do
+        post "/session/forgot_password.json",
+          params: { login: user.email }
+
+        expect(response.status).to eq(200)
+        expect(Jobs::CriticalUserEmail.jobs.size).to eq(1)
+      end
+    end
+
    it 'raises an error without a username parameter' do
      post "/session/forgot_password.json"
      expect(response.status).to eq(400)