Customise Password Reset Error / Success

#1

I am trying to customise the message returned from Parse Server to guard against account enumeration.

Currently the server will return No user found with email [email protected]. If there is a user with the email then it will say that something has been sent.

This isn’t ideal as the message confirms that someone with that email actually has an account. I would like to customise this message on the client side as it’s quite easy to see the actual message coming back in Dev tools so I am after a nicer fix than just customising on the frontend.

A message like if an account exists for [email protected], a password reset email has been sent.

Many thanks.

#2

Simon -

Great idea. Currently, that message is hardcoded as an Error - I’m not sure if we have localisation in place on the server to override that message, but - it may be possible to catch the error, and change the message.

There is a good argument however to just open a pull request. Here’s the questionable line:
https://github.com/parse-community/parse-server/blob/7c81290252493e9eb0dcc094075ab71c5a70908a/src/Routers/UsersRouter.js#L393

Thanks,
W

#3

I similar PR was just merged for custom password reset

You can use that as a base

#4

Thanks to you both… I have some learning to do, but I am going to give it a go. Any tips on how you’d tackle it would be good to hear. Thinking it would be a config option in index.js ?

#5

@dplewis - Do we have any localisation currently on the server?

#6

There isn’t

Where do you see it being used?