Forum Documentation Showcase Pricing Learn more

Security concern? 'Send password reset email' workflow gives away whether account exists

Hi there

I’m working on the forgot password feature for my app.

My understanding of best practice is to not tell the person making the forgot password request whether or not a particular email address is associated with an account on a site.

For example, a website might say, “We’ve attempted to send a reset link to [email provided]. Please check your email.”

However, it seems that bubble.is does give away whether an account with that email exists:

Does anyone have any experience with this issue? Am I being overly security conscious?

Cheers
Travis

You can change the prompt to say something else like “this password-email combination was not valid. Please try again”

Thanks @cdorozco16, that’s a good start.
It doesn’t quite go all the way to solving the issue though.

Changing the language code for the ‘NO_SUCH_USER’ value is helpful e.g.
image

Though someone doing this many times will know when they hit a real email, as it will trigger those workflow conditions specified e.g. reset inputs, close popup - so for the best integration, you’d need to use the following workflow event:
image

You’ll be able to enter the exact error code and run a set of workflow actions to not give away any sign that the email/user exists. So whether the password reset workflow actions runs or not, it acts the same way in showing an alert like the one above, resetting the inputs and closing the popup…

With that said, I’ve ran a quick test on Bubble’s default login/signup reusable element with a password reset and applied the following:
image
image

But the standard browser error appears - I am missing something? Is this a bug? Or a know fact you can’t run on password reset workflows? @neerja

1 Like