Secure? dbconnections/change_password

dyAuth0 · October 8, 2019, 9:29pm

I am not sure how this is ‘secure’ or safe enough that others wouldn’t not abuse.

To have auth0 send an email to a user to reset their password…all i had to do was perform following post
var response = await _client.PostAsync(“dbconnections/change_password”, content);
where content contained the client_id and user’s email address.

While I recognize only that user could reset their password, it seems that others could hack around and force my application to send emails out if all they really had to know is my application client_id and a users email address. Is client_id considered very private and not to be put in any js /c# code?

thx
dy

dan.woda · October 8, 2019, 10:37pm

Client ID is a public identifier for you app, and is not secret.

This behavior is no different than going to a login page, clicking “I forgot my password” and submitting an email. In fact, that is the endpoint used for this action. It is a common practice to allow this behavior.

Hope this helps!

Thanks,
Dan

dan.woda · October 23, 2019, 10:37pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
In what scenario "POST https://YOUR_DOMAIN/dbconnections/change_password" would fail? Help change-password , users	2	2075	December 22, 2022
Custom "dbconnections/change_password" or some alternative? Help auth0 , api , change-password	6	2178	July 28, 2022
Problems invoking dbconnections/change_password Help	3	2470	December 22, 2022
Db_connections/change_password responds with error "email or username are required" Help	3	2876	October 20, 2021
POST https://YOUR_DOMAIN/dbconnections/change_password only sends verify email Help change-password	0	1892	August 31, 2022

Secure? dbconnections/change_password

Related Topics