Auth0 Home Blog Docs

Secure? dbconnections/change_password

I am not sure how this is ‘secure’ or safe enough that others wouldn’t not abuse.

To have auth0 send an email to a user to reset their password…all i had to do was perform following post
var response = await _client.PostAsync(“dbconnections/change_password”, content);
where content contained the client_id and user’s email address.

While I recognize only that user could reset their password, it seems that others could hack around and force my application to send emails out if all they really had to know is my application client_id and a users email address. Is client_id considered very private and not to be put in any js /c# code?

thx
dy

Client ID is a public identifier for you app, and is not secret.

This behavior is no different than going to a login page, clicking “I forgot my password” and submitting an email. In fact, that is the endpoint used for this action. It is a common practice to allow this behavior.

Hope this helps!

Thanks,
Dan

1 Like