Email Invite Warning
#1685
-
|
Should there be a warning when a user tries to sign in with an email that hasn't been invited? I implemented a quick fix for my own instance: |
Beta Was this translation helpful? Give feedback.
Answered by
tommoor
Nov 27, 2020
Replies: 1 comment
-
|
You can see by the comment directly below that line that it's purposefully built this way, returning a success/failure allows enumeration of user accounts and would be considered a small security flaw. I think the ideal solution would be to send an email to the address if they don't have an account letting them know to request an invite. Such an email would need to be protected by a rate limiter though. |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
dmezh
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You can see by the comment directly below that line that it's purposefully built this way, returning a success/failure allows enumeration of user accounts and would be considered a small security flaw.
I think the ideal solution would be to send an email to the address if they don't have an account letting them know to request an invite. Such an email would need to be protected by a rate limiter though.