Fix leaking information about non existing email in forgotten password

ds-wizard · Jan 22, 2024 · a1f9f4a · a1f9f4a
1 parent 429b11f
commit a1f9f4a
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/wizard-server/src/Wizard/Service/User/UserService.hs b/wizard-server/src/Wizard/Service/User/UserService.hs
@@ -242,12 +242,15 @@ changeUserPasswordByHash userUuid hash userPasswordDto =
 resetUserPassword :: ActionKeyDTO ActionKeyType -> AppContextM ()
 resetUserPassword reqDto =
   runInTransaction $ do
-    user <- findUserByEmail reqDto.email
-    tenantUuid <- asks currentTenantUuid
-    actionKey <- createActionKey user.uuid ForgottenPasswordActionKey tenantUuid
-    catchError
-      (sendResetPasswordMail (toDTO user) actionKey.hash)
-      (\errMessage -> throwError $ GeneralServerError _ERROR_SERVICE_USER__RECOVERY_EMAIL_NOT_SENT)
+    mUser <- findUserByEmail' reqDto.email
+    case mUser of
+      Just user -> do
+        tenantUuid <- asks currentTenantUuid
+        actionKey <- createActionKey user.uuid ForgottenPasswordActionKey tenantUuid
+        catchError
+          (sendResetPasswordMail (toDTO user) actionKey.hash)
+          (\errMessage -> throwError $ GeneralServerError _ERROR_SERVICE_USER__RECOVERY_EMAIL_NOT_SENT)
+      Nothing -> return ()
 
 changeUserState :: String -> Bool -> AppContextM ()
 changeUserState hash active =