massx1 opened a new pull request, #1416: URL: https://github.com/apache/syncope/pull/1416
This change hardens password reset flows to avoid exposing whether a submitted username exists, whether the security answer is valid, or whether a reset token matches a user. When password reset detail hiding is enabled, unknown users and invalid security answers are ignored with a server-side warning, while the client receives the same successful request flow. Invalid reset tokens return a generic not-found message instead of reflecting the submitted token. A new configuration property preserves compatibility: security.passwordReset.hideDetails=true The end-user password reset request success message was also updated to avoid implying that the password has already been changed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
