A Full Stack Developer specializes in Python (Django, Flask), Go, & JavaScript (Angular, Node.js). Experience designing, planning, and building complete web applications with backend API systems.
Nice article! Leaving about whether this method is safe or not, as already in discussion by our dev members, I want to highlight one thing here.
In /login API (snippet below), if an email is not found, then we should not tell the user that the email is not in our system. This is a security risk by which a hacker can identify valid emails in a system.
// Login endpointapp.post("/login",(req,res)=>{constemail=req.body.email;if(!email){res.statusCode(403);res.send({message:"There is no email address that matches this.",});}if(email){res.statusCode(200);res.send(email);}});
Hence, /login API can just respond with something generic like, You will receive an email with the link if an account is found associated with this email. 😁
Excellent point to bring up! Same goes for signups. You should always say "You'll receive an email" and for existing emails, simply state that "Someone tried to sign up with us. If that was you - Log in here instead"
That way a malicious user/attacker can't enumerate the existing emails at a large scale
Yeah, I know this is the preferred "safe" response, but can be frustrating when you're "sure" that was the email (I have many) and don't get a response.
I would prefer an email be sent anyway with a message telling me that the email provided wasn't registered so at least I know the process is working.
I don't see a security problem with this approach? Though it may result in an increase of bounced emails from fat fingered entries.
The line 'const email = req.body.email' is related to what the user types in the input element.
The if statement only checks if the value of email is truthy or not. So, only checks if the user typed something on the input element.
Nice article! Leaving about whether this method is safe or not, as already in discussion by our dev members, I want to highlight one thing here.
In
/loginAPI (snippet below), if an email is not found, then we should not tell the user that the email is not in our system. This is a security risk by which a hacker can identify valid emails in a system.Hence,
/loginAPI can just respond with something generic like,You will receive an email with the link if an account is found associated with this email.😁Excellent point to bring up! Same goes for signups. You should always say "You'll receive an email" and for existing emails, simply state that "Someone tried to sign up with us. If that was you - Log in here instead"
That way a malicious user/attacker can't enumerate the existing emails at a large scale
Yeah, I know this is the preferred "safe" response, but can be frustrating when you're "sure" that was the email (I have many) and don't get a response.
I would prefer an email be sent anyway with a message telling me that the email provided wasn't registered so at least I know the process is working.
I don't see a security problem with this approach? Though it may result in an increase of bounced emails from fat fingered entries.
The line 'const email = req.body.email' is related to what the user types in the input element.
The if statement only checks if the value of email is truthy or not. So, only checks if the user typed something on the input element.
if I was a hacker, I should know from the message that my details is not, hence no email with some link.
so to me it's still the same.