From 9cfbb1dec977dd81f5aaaa543be2cf184a3789dc Mon Sep 17 00:00:00 2001
From: Ephraim Atta-Duncan <ephraimduncan68@gmail.com>
Date: Wed, 7 Jun 2023 10:59:20 +0000
Subject: [PATCH] Avoid leaking that a user has an account

---
 apps/web/pages/api/auth/forgot-password.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/web/pages/api/auth/forgot-password.ts b/apps/web/pages/api/auth/forgot-password.ts
index 80aefe5a7..07d57dce7 100644
--- a/apps/web/pages/api/auth/forgot-password.ts
+++ b/apps/web/pages/api/auth/forgot-password.ts
@@ -20,7 +20,7 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
   });
 
   if (!user) {
-    return res.status(404).json({ message: "No user found with this email" });
+    return res.status(200).json({ message: "A password reset email has been sent." });
   }
 
   const existingToken = await prisma.passwordResetToken.findFirst({
@@ -33,7 +33,7 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
   });
 
   if (existingToken) {
-    return res.status(400).json({ message: "Password reset requested." });
+    return res.status(200).json({ message: "A password reset email has been sent." });
   }
 
   const token = crypto.randomBytes(64).toString("hex");
@@ -55,7 +55,7 @@ async function postHandler(req: NextApiRequest, res: NextApiResponse) {
 
   await sendResetPassword(user, passwordResetToken.token);
 
-  res.status(200).json({ message: "Password reset email sent." });
+  return res.status(200).json({ message: "A password reset email has been sent." });
 }
 
 export default defaultHandler({