Do not reveal account existence through public endpoints (!863) · Merge requests · Particify / Software Development / FOSS / ARSnova Server

Daniel Gerhardt requested to merge dont-reveal-account-existence into master Oct 21, 2024

The user URL alias resolution and the password reset endpoint no longer respond with 404 if no account exists for the loginId.

Invalid aliases are resolved to the nil UUID. Therefore, errors are now handled by the target of internal redirect instead of being intercepted early.

Closes: #283

Do not reveal account existence through public endpoints

Merge request reports