Merge pull request from GHSA-8qp8-9rpw-j46c

* Ensure that missing access rules do not break the site (#15081) (cherry picked from commit 6777145079) * Added Exception handling and replicated error and info message * Update auth.resource.js Fixed the message * Changed Delay introduction to early phase to avoid repeating code. --------- Co-authored-by: Kenn Jacobsen <kja@umbraco.dk> Co-authored-by: jey <jey@umbraco.dk> Co-authored-by: Jey <cyaqublu@gmail.com>
2023-12-11 13:59:35 +01:00
parent b3caf747df
commit f7e4832898
2 changed files with 14 additions and 5 deletions
--- a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
@@ -470,6 +470,9 @@ public class AuthenticationController : UmbracoApiControllerBase
        }

        BackOfficeIdentityUser? identityUser = await _userManager.FindByEmailAsync(model.Email);
+
+        await Task.Delay(RandomNumberGenerator.GetInt32(400, 2500)); // To randomize response time preventing user enumeration
+
        if (identityUser != null)
        {
            IUser? user = _userService.GetByEmail(model.Email);
@@ -490,14 +493,20 @@ public class AuthenticationController : UmbracoApiControllerBase

                var mailMessage = new EmailMessage(from, user.Email, subject, message, true);

-                await _emailSender.SendAsync(mailMessage, Constants.Web.EmailTypes.PasswordReset, true);
+                try
+                {
+                    await _emailSender.SendAsync(mailMessage, Constants.Web.EmailTypes.PasswordReset, true);
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogError(ex, "Error sending email, please check your SMTP configuration: {ErrorMessage}", ex.Message);
+                    return Ok();
+                }

                _userManager.NotifyForgotPasswordRequested(User, user.Id.ToString());
            }
        }

-        await Task.Delay(RandomNumberGenerator.GetInt32(400, 2500));
-
        return Ok();
    }

--- a/src/Umbraco.Web.UI.Client/src/common/resources/auth.resource.js
+++ b/src/Umbraco.Web.UI.Client/src/common/resources/auth.resource.js
@@ -28,7 +28,7 @@ function authResource($q, $http, umbRequestHelper, angularHelper) {
     *    });
     * </pre>
     * @returns {Promise} resourcePromise object
-     * 
+     *
     */
    get2FAProviders: function () {

@@ -203,7 +203,7 @@ function authResource($q, $http, umbRequestHelper, angularHelper) {
            "PostRequestPasswordReset"), {
            email: email
          }),
-        'Request password reset failed for email ' + email);
+        'An email with password reset instructions will be sent to the specified address if it matched our records');
    },

    /**