removed error output from user reset for rate limiting or incorrect email, so users cannot validate emails via this endpoint

7 years ago · f769e734ed
parent 9c4d17dbf1
commit f769e734ed
2 changed files with 13 additions and 8 deletions
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@ -88,15 +88,20 @@ SocketUser.reset.send = function (socket, email, callback) {
 	}
 	user.reset.send(email, function (err) {
-		if (err && err.message !== '[[error:invalid-email]]') {
+		if (err) {
-			return callback(err);
+			switch (err.message) {
-		}
+			case '[[error:invalid-email]]':
-		if (err && err.message === '[[error:invalid-email]]') {
+				winston.warn('[user/reset] Invalid email attempt: ' + email + ' by IP ' + socket.ip + (socket.uid ? ' (uid: ' + socket.uid + ')' : ''));
-			winston.verbose('[user/reset] Invalid email attempt: ' + email);
+				err = null;
-			return setTimeout(callback, 2500);
+				break;
 			case '[[error:reset-rate-limited]]':
 				err = null;
 				break;
 			}
 		}
-		callback();
+		setTimeout(callback.bind(err), 2500);
 	});
 };
--- a/src/user/reset.js
+++ b/src/user/reset.js
@ -51,7 +51,7 @@ function canGenerate(uid, callback) {
 		},
 		function (score, next) {
 			if (score > Date.now() - (1000 * 60)) {
-				return next(new Error('[[error:cant-reset-password-more-than-once-a-minute]]'));
+				return next(new Error('[[error:reset-rate-limited]]'));
 			}
 			next();
 		},