Merge pull request from GHSA-8qp8-9rpw-j46c

* Ensure that missing access rules do not break the site (#15081) (cherry picked from commit 6777145079) * Added Exception handling and replicated error and info message * Update auth.resource.js Fixed the message * Changed Delay introduction to early phase to avoid repeating code. --------- Co-authored-by: Kenn Jacobsen <kja@umbraco.dk> Co-authored-by: jey <jey@umbraco.dk> Co-authored-by: Jey <cyaqublu@gmail.com>
2023-12-11 13:59:35 +01:00
parent 50a107f885
commit 3331788c5c
4 changed files with 16 additions and 7 deletions
--- a/src/Umbraco.Infrastructure/Persistence/Dtos/AccessDto.cs
+++ b/src/Umbraco.Infrastructure/Persistence/Dtos/AccessDto.cs
@@ -37,5 +37,5 @@ internal class AccessDto

    [ResultColumn]
    [Reference(ReferenceType.Many, ReferenceMemberName = "AccessId")]
-    public List<AccessRuleDto> Rules { get; set; } = null!;
+    public List<AccessRuleDto> Rules { get; set; } = new();
 }
--- a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
@@ -404,6 +404,9 @@ public class AuthenticationController : UmbracoApiControllerBase
        }

        BackOfficeIdentityUser? identityUser = await _userManager.FindByEmailAsync(model.Email);
+
+        await Task.Delay(RandomNumberGenerator.GetInt32(400, 2500)); // To randomize response time preventing user enumeration
+
        if (identityUser != null)
        {
            IUser? user = _userService.GetByEmail(model.Email);
@@ -424,14 +427,20 @@ public class AuthenticationController : UmbracoApiControllerBase

                var mailMessage = new EmailMessage(from, user.Email, subject, message, true);

-                await _emailSender.SendAsync(mailMessage, Constants.Web.EmailTypes.PasswordReset, true);
+                try
+                {
+                    await _emailSender.SendAsync(mailMessage, Constants.Web.EmailTypes.PasswordReset, true);
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogError(ex, "Error sending email, please check your SMTP configuration: {ErrorMessage}", ex.Message);
+                    return Ok();
+                }

                _userManager.NotifyForgotPasswordRequested(User, user.Id.ToString());
            }
        }

-        await Task.Delay(RandomNumberGenerator.GetInt32(400, 2500));
-
        return Ok();
    }

--- a/src/Umbraco.Web.UI.Client/src/common/resources/auth.resource.js
+++ b/src/Umbraco.Web.UI.Client/src/common/resources/auth.resource.js
@@ -28,7 +28,7 @@ function authResource($q, $http, umbRequestHelper, angularHelper) {
     *    });
     * </pre>
     * @returns {Promise} resourcePromise object
-     * 
+     *
     */
    get2FAProviders: function () {

@@ -203,7 +203,7 @@ function authResource($q, $http, umbRequestHelper, angularHelper) {
            "PostRequestPasswordReset"), {
            email: email
          }),
-        'Request password reset failed for email ' + email);
+        'An email with password reset instructions will be sent to the specified address if it matched our records');
    },

    /**
--- a/src/Umbraco.Web.UI.Client/src/views/components/application/umb-login.html
+++ b/src/Umbraco.Web.UI.Client/src/views/components/application/umb-login.html
@@ -158,7 +158,7 @@
                        </div>

                        <div ng-messages="vm.requestPasswordResetForm.$error" class="control-group" ng-show="vm.requestPasswordResetForm.$invalid">
-                            <p ng-message="auth" class="text-error" role="alert" tabindex="0">{{vm.errorMsg}}</p>
+                            <p ng-message="auth" class="text-info" role="alert" tabindex="0">{{vm.errorMsg}}</p>
                        </div>

                        <div class="control-group" ng-show="vm.showEmailResetConfirmation">