From 7765f98ee1ea62196b0a29accfaec3844f09729a Mon Sep 17 00:00:00 2001
From: Bjarke Berg <mail@bergmania.dk>
Date: Wed, 20 Sep 2023 09:02:32 +0200
Subject: [PATCH] Added random delay in forgot password to lessen the risk the
 response times can be use to determine whether the mail exist or not.

---
 .../Controllers/AuthenticationController.cs                    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
index 1a55e164a6..4892f53012 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
@@ -1,5 +1,6 @@
 using System.Globalization;
 using System.Security.Claims;
+using System.Security.Cryptography;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
@@ -427,6 +428,8 @@ public class AuthenticationController : UmbracoApiControllerBase
             }
         }
 
+        await Task.Delay(RandomNumberGenerator.GetInt32(400, 2500));
+
         return Ok();
     }