Email address enumeration in password reset

[Cave-Johnson]

Describe the bug
The password reset form allows for usernames / email addresses to be enumerated. A valid email address shows the message:
"A password reset link has been sent to email@email.com"

where as a non existent email shows the error:
"We can't find a user with that e-mail address."

Steps To Reproduce
Steps to reproduce the behavior:

1. Go to the forgotten password page
2. Enter a valid and invalid email address
3. Observe responses from the application

Expected behavior
The application should respond to invalid email addresses with the same generic error response as a valid email, thereby not indicating to an attacker the validity of the value submitted preventing username enumeration

[ssddanbrown]

Thanks for raising @Cave-Johnson.

It's a good point, I know some services differ as there's an argument of the current state providing a potential better user-experience, to avoid cases such as mis-typed emails or a user entering their wrong email, but we can't assume the environments BookStack will be used in so we should err on the side of caution & security.

Have assigned to be part of the next release.

[Cave-Johnson]

Thanks for the prompt reply!

Perhaps if the generic error showed said something a long the lines of "If this is a registered email address on this instance of bookstack, a password reset link will be sent to the address specified" it would give a user enough information and maintain the security of the password reset functionality?

[ssddanbrown]

I've made the updates to this system now.

The notification will show as "A password reset link will be sent to <input_email> if that email address is found in the system.".

I've also updated the follow-on form, where the new password get's set, to show an invalid token warning if the given email given does not exist, instead of a non-existing user warning.

This will be part of the next feature release, v0.29.