From f7e4832898fc4b76f29411e94e5a825e79cd6727 Mon Sep 17 00:00:00 2001
From: Nikolaj Geisle <70372949+Zeegaan@users.noreply.github.com>
Date: Mon, 11 Dec 2023 13:59:35 +0100
Subject: [PATCH] Merge pull request from GHSA-8qp8-9rpw-j46c

* Ensure that missing access rules do not break the site (#15081)

(cherry picked from commit 67771450797eb2c72449ddcabfc38d5ebf99c7f3)

* Added Exception handling and replicated error and info message

* Update auth.resource.js

Fixed the message

* Changed Delay introduction to early phase to avoid repeating code.

---------

Co-authored-by: Kenn Jacobsen <kja@umbraco.dk>
Co-authored-by: jey <jey@umbraco.dk>
Co-authored-by: Jey <cyaqublu@gmail.com>
---
 .../Controllers/AuthenticationController.cs       | 15 ++++++++++++---
 .../src/common/resources/auth.resource.js         |  4 ++--
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
index 284f36318a..45a1746b7e 100644
--- a/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/AuthenticationController.cs
@@ -470,6 +470,9 @@ public class AuthenticationController : UmbracoApiControllerBase
         }
 
         BackOfficeIdentityUser? identityUser = await _userManager.FindByEmailAsync(model.Email);
+
+        await Task.Delay(RandomNumberGenerator.GetInt32(400, 2500)); // To randomize response time preventing user enumeration
+
         if (identityUser != null)
         {
             IUser? user = _userService.GetByEmail(model.Email);
@@ -490,14 +493,20 @@ public class AuthenticationController : UmbracoApiControllerBase
 
                 var mailMessage = new EmailMessage(from, user.Email, subject, message, true);
 
-                await _emailSender.SendAsync(mailMessage, Constants.Web.EmailTypes.PasswordReset, true);
+                try
+                {
+                    await _emailSender.SendAsync(mailMessage, Constants.Web.EmailTypes.PasswordReset, true);
+                }
+                catch (Exception ex)
+                {
+                    _logger.LogError(ex, "Error sending email, please check your SMTP configuration: {ErrorMessage}", ex.Message);
+                    return Ok();
+                }
 
                 _userManager.NotifyForgotPasswordRequested(User, user.Id.ToString());
             }
         }
 
-        await Task.Delay(RandomNumberGenerator.GetInt32(400, 2500));
-
         return Ok();
     }
 
diff --git a/src/Umbraco.Web.UI.Client/src/common/resources/auth.resource.js b/src/Umbraco.Web.UI.Client/src/common/resources/auth.resource.js
index e09718176c..7b0a10cf31 100644
--- a/src/Umbraco.Web.UI.Client/src/common/resources/auth.resource.js
+++ b/src/Umbraco.Web.UI.Client/src/common/resources/auth.resource.js
@@ -28,7 +28,7 @@ function authResource($q, $http, umbRequestHelper, angularHelper) {
      *    });
      * </pre>
      * @returns {Promise} resourcePromise object
-     * 
+     *
      */
     get2FAProviders: function () {
 
@@ -203,7 +203,7 @@ function authResource($q, $http, umbRequestHelper, angularHelper) {
             "PostRequestPasswordReset"), {
             email: email
           }),
-        'Request password reset failed for email ' + email);
+        'An email with password reset instructions will be sent to the specified address if it matched our records');
     },
 
     /**