server: improve security of password reset flow #213

Closed

Johann150 wants to merge 1 commit from refactor/password-reset into main

Author	SHA1	Message	Date
Johann150	42093969b5	server: improve security of password reset flow Some checks failed ci/woodpecker/push/lint-client Pipeline was successful Details ci/woodpecker/push/lint-backend Pipeline was successful Details ci/woodpecker/push/lint-foundkey-js Pipeline was successful Details ci/woodpecker/push/build Pipeline was successful Details ci/woodpecker/push/test Pipeline was successful Details ci/woodpecker/pr/lint-foundkey-js Pipeline was successful Details ci/woodpecker/pr/lint-backend Pipeline was successful Details ci/woodpecker/pr/lint-client Pipeline failed Details ci/woodpecker/pr/test Pipeline failed Details ci/woodpecker/pr/build Pipeline was successful Details - make the rate limiting for requesting password resets much more sensitive NB: This rate limiting is applied per IP address. - only allow 1 reset request at a time NB: This is effectively a rate limit that is applied per user. - try to mitigate timing attacks that may reveal a user's email address. - Rewrite email body for password reset request to contain the username. The username will be known to the person that requested the reset. This should serve to reassure users that this is not a phishing mail. - refactor to use time constants and proper errors Changelog: Security	2022-10-23 23:10:43 +02:00