Reset Password does not check if email is valid

nevil · June 28, 2023, 9:45am

I just setup reset password on a club site (self registration is disabled).

When I tested it with fake email address, I got response 200, {“ok”:true}.

What is happening? Is email sent? What could receiver do with link?

Do I have to create custom endpoint to check first if email is valid?

If this is intended behaviour, can it be added to Docs.

dallasclark · June 30, 2023, 4:30am

I can’t be 100% confident on why Strapi has done this but this is undoubtedly a standard behaviour of most systems to say the forgot password email has been sent.

Reasons:

It reduces security vulnerabilities as it doesn’t confirm a user’s email address exists. Otherwise, bots can brute force the forgot password endpoint to try to find valid user accounts and then brute force passwords.
It reduces privacy, some people would not like websites to confirm a user exists on their website.

Is email sent?

If the email address doesn’t exist, no email is sent.

Do I have to create custom endpoint to check first if email is valid?

Do don’t that, for the reasons above.