Summary
Password reset endpoints should be resilient to abuse (email flooding, brute-force attempts, and account enumeration). Add rate limiting and ensure consistent responses.
Affected code
backend/src/Controller/Auth/PasswordController.phpbackend/src/Service/PasswordResetService.php (and related email/token logic)
Risks
- Account enumeration if responses differ based on whether an email exists.
- Abuse/spam by repeatedly triggering reset emails.
- Brute-force against reset tokens/hashes.
Suggested fix
- Add Symfony RateLimiter (or equivalent) for:
/api/auth/password/forgot per IP and per email/api/auth/password/reset per IP and per token/hash
- Always return a generic response for forgot-password (e.g., 200 + empty body) regardless of email existence.
- Ensure reset tokens are single-use, expire quickly, and are stored hashed (if not already).
- Add audit logs/monitoring for repeated attempts.
Acceptance criteria
- Repeated requests are throttled with 429.
- No observable difference between existing/non-existing emails.
Summary
Password reset endpoints should be resilient to abuse (email flooding, brute-force attempts, and account enumeration). Add rate limiting and ensure consistent responses.
Affected code
backend/src/Controller/Auth/PasswordController.phpbackend/src/Service/PasswordResetService.php(and related email/token logic)Risks
Suggested fix
/api/auth/password/forgotper IP and per email/api/auth/password/resetper IP and per token/hashAcceptance criteria