BA
Better Auth2mo ago
FredTheNoob

Forget Password endpoint always returns status code 200

When I call the forget password endpoint on both postman and my next.js app, I always get status code 200, no error, even if the user doesn't exist. In my next.js logs I can see the user not found error being registered, but my code which looks like this: 
async function onSubmit(event: React.SyntheticEvent) {
        event.preventDefault()
        setIsLoading(true)
        setError("")

        const { data, error } = await authClient.forgetPassword({
            email: email,
            redirectTo: "/reset-password",
        });

        setIsLoading(false)


        console.log(data,error);
        
        if (error) {
            setError(error.message!)
            return
        }
        
        toast.success("Reset link sent to your email!")
        //router.push("/auth")
    }
async function onSubmit(event: React.SyntheticEvent) {
        event.preventDefault()
        setIsLoading(true)
        setError("")

        const { data, error } = await authClient.forgetPassword({
            email: email,
            redirectTo: "/reset-password",
        });

        setIsLoading(false)


        console.log(data,error);
        
        if (error) {
            setError(error.message!)
            return
        }
        
        toast.success("Reset link sent to your email!")
        //router.push("/auth")
    }
Has data with value {status: true} and error is null Is this normal behaviour?
No description
No description
Solution:
I would say for security
Jump to solution
4 Replies
Solution
lonelyplanet
lonelyplanet2mo ago
I would say for security
lonelyplanet
lonelyplanet2mo ago
If it wasn't like that i could go does email [email protected] have an account just by calling forgot password i could find out because if they did i would get a 200 if they didnt i would get a error. I was right after checking source code 
if (!user) {
  ctx.context.logger.error("Reset Password: User not found", { email });
  //only on the server status is false for the client it's always true
  //to avoid leaking information
  return ctx.json(
    {
      status: false,
    },
    {
      body: {
          status: true,
        },
      },
    );
}
if (!user) {
  ctx.context.logger.error("Reset Password: User not found", { email });
  //only on the server status is false for the client it's always true
  //to avoid leaking information
  return ctx.json(
    {
      status: false,
    },
    {
      body: {
          status: true,
        },
      },
    );
}
lonelyplanet
lonelyplanet2mo ago
FredTheNoob
FredTheNoobOP2mo ago
I see, that makes sense. Thank you

Did you find this page helpful?