Password reset e-mail being sent to non-valid users

I am using Lock as my login widget and I noticed that going through the forgot password flow and entering an e-mail that does not exist, an e-mail is still sent out prompting them to reset the password. It allows them to reset the password, but login will fail with the non-valid e-mail and new password.

Is there a way to have the e-mails only be sent for valid users?

:wave: @eugene.low I believe that the message stating an email has been sent is expected behavior. Lock is implement to provide this messages regardless of the user being found or not to prevent user enumeration, which can lead to multiple attack vectors. This way, an attacker cannot find out whether a particular user/email has an account in your application by brute force. The password reset emails will be sent to registered users, even though the message says an email has been sent.

When you say non-valid users are you referring to blocked users? I don’t believe a blocked user should be able to start and complete a password reset. If that is the case can you please let me know?

Hi @kimcodes

I am referring to the actual password reset e-mail being sent. If I were to enter and that e-mail is not registered, an e-mail is still being sent to allowing them to reset their password.

Non-valid meaning that the e-mail is not registered.

Thanks for the response!

Hey there!

Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!

Do you still require further assistance from us?