From f769e734edbe33e9d42080b0afc2629e2fb4d7fa Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 4 Apr 2018 13:09:53 -0400
Subject: [PATCH] removed error output from user reset for rate limiting or
 incorrect email, so users cannot validate emails via this endpoint

---
 src/socket.io/user.js | 19 ++++++++++++-------
 src/user/reset.js     |  2 +-
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/src/socket.io/user.js b/src/socket.io/user.js
index 1ed67276c4..36026a7f28 100644
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@@ -88,15 +88,20 @@ SocketUser.reset.send = function (socket, email, callback) {
 	}
 
 	user.reset.send(email, function (err) {
-		if (err && err.message !== '[[error:invalid-email]]') {
-			return callback(err);
-		}
-		if (err && err.message === '[[error:invalid-email]]') {
-			winston.verbose('[user/reset] Invalid email attempt: ' + email);
-			return setTimeout(callback, 2500);
+		if (err) {
+			switch (err.message) {
+			case '[[error:invalid-email]]':
+				winston.warn('[user/reset] Invalid email attempt: ' + email + ' by IP ' + socket.ip + (socket.uid ? ' (uid: ' + socket.uid + ')' : ''));
+				err = null;
+				break;
+
+			case '[[error:reset-rate-limited]]':
+				err = null;
+				break;
+			}
 		}
 
-		callback();
+		setTimeout(callback.bind(err), 2500);
 	});
 };
 
diff --git a/src/user/reset.js b/src/user/reset.js
index 5b6e183b27..c287776ec5 100644
--- a/src/user/reset.js
+++ b/src/user/reset.js
@@ -51,7 +51,7 @@ function canGenerate(uid, callback) {
 		},
 		function (score, next) {
 			if (score > Date.now() - (1000 * 60)) {
-				return next(new Error('[[error:cant-reset-password-more-than-once-a-minute]]'));
+				return next(new Error('[[error:reset-rate-limited]]'));
 			}
 			next();
 		},