Secure? dbconnections/change_password

dyAuth0 · October 8, 2019, 9:29pm

I am not sure how this is ‘secure’ or safe enough that others wouldn’t not abuse.

To have auth0 send an email to a user to reset their password…all i had to do was perform following post
var response = await _client.PostAsync(“dbconnections/change_password”, content);
where content contained the client_id and user’s email address.

While I recognize only that user could reset their password, it seems that others could hack around and force my application to send emails out if all they really had to know is my application client_id and a users email address. Is client_id considered very private and not to be put in any js /c# code?

thx
dy

dan.woda · October 8, 2019, 10:37pm

Client ID is a public identifier for you app, and is not secret.

This behavior is no different than going to a login page, clicking “I forgot my password” and submitting an email. In fact, that is the endpoint used for this action. It is a common practice to allow this behavior.

Hope this helps!

Thanks,
Dan

dan.woda · October 23, 2019, 10:37pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
In what scenario "POST https://YOUR_DOMAIN/dbconnections/change_password" would fail? Help change-password , users	2	2077	December 22, 2022
Custom "dbconnections/change_password" or some alternative? Help auth0 , api , change-password	6	2179	July 28, 2022
How to reset user's password using API of Auth0? Help auth0 , api , password-reset	3	21269	November 2, 2018
Create New User & Send email for changing password - HELP with ManagementAPI Help auth0 , management-api , login	0	3469	October 8, 2019
Reset Pasword Email - Oops!, something went wrong Help password-reset	1	3508	December 3, 2019

Secure? dbconnections/change_password

Related topics