Why does the Change Password API always return a "valid" result?

I’m looking at using the Public Authorization API Change password endpoint, /dbconnections/change_password, to send a “reset password” email. In testing it seems that even when I send an email that doesn’t have an existing Auth0 account it still responds with the result, We've just sent you an email to reset your password.

Is this a security measure so someone can’t probe the endpoint for valid account email addresses? How can I let a user who might have mistyped and email or entered the wrong email there is not a email match if the response is always “success”?

1 Like

I was just about to a post a question around this. Another observation related to this - if you’re using a custom db connection, Auth0 will invoke the Get User
action script to see if the user exists however it seems to ignore the result of this call and send the reset password email anyway. I’ve tried returning the ‘not found’ response (callback(null):wink: but it has no effect.

The Change Password endpoint will return a success message, regardless of outcome, as a security measure to prevent user enumeration. E.g. a malicious user could use this endpoint to find out whether an email address was registered with your application. The following document explains user enumeration in more detail:
https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)

Ok. That’s what I thought might be the case.