Need message for email addresses not in Auth0

  • Resolved ksoares

    (@ksoares)


    6 years, 2 months ago

    We use Auth0 and the Auth0 plugin for WP to manage logins to a membership organization site that has tens of thousands of users. One issue that is giving us a lot of trouble is the ‘forgot password’ function. If the user’s email is already in Auth0, this works fine. However, if they are not in Auth0, they see the message “WE’VE JUST SENT YOU AN EMAIL TO RESET YOUR PASSWORD” but they never actually receive an email. The end product is a lot of unnecessary phone calls to the organization.

    Can this messaging be altered to reflect a failure to find an email? The “WE’VE JUST SENT YOU AN EMAIL…” message works fine for success, but can there be another message for failure, such as “YOUR EMAIL IS NOT IN THE SYSTEM. PLEASE SIGN UP.” ?

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi @ksoares,

    So, this is a tricky one … if we say whether a user account exists or not then we can indirectly expose sensitive information and allow for user enumeration (checking for existing user accounts). OWASP recommends general messages for this type of action:

    https://www.owasp.org/index.php/Authentication_Cheat_Sheet (“Authentication and Error Messages” section).

    I think your best course of action here is to change that error message to incorporate both scenarios. Use the languageDictionary configuration option:

    https://auth0.com/docs/libraries/lock/v11/ui-customization#customizing-text

    … which can be changed in the plugin admin screen at wp-admin > Auth0 > Settings > Advanced > “Extra Settings” field. The field to change is here:

    https://github.com/auth0/lock/blob/master/src/i18n/en.js#L50

    If you’re not already using that field, then it should look something like this:

    
{
  "languageDictionary" : {
    "success" : {
      "forgotPassword" : "If that email address exists then an email as been sent. If no email is received then that user account may not exist."
    }
  }
}
    Thread Starter ksoares

    (@ksoares)

    Thanks – that all makes perfect sense, and I appreciate you pointing out how we can make the change.
    K.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Need message for email addresses not in Auth0’ is closed to new replies.