Failed Password Reset Link (API Response)
In an edge case scenario, a "forgot password" mechanism can potentially be misused to guess if a user account exists or not. Most commonly, this is done so by requesting a password reset, to a specified email. When your application responds with a successful response for a valid email, attackers will know that an account exists and proceed to exploitation attempts.
Note
The above described edge case scenario is NOT specifically tied to Laravel Fortify. Any kind of "reset password" functionality can be subject to such, if end-users are able to request a reset password link.
See Testing for Account Enumeration and Guessable User Account for additional details.
To reduce the chances of revealing the existence of a user account, when requesting a reset link, the FailedPasswordResetLinkApiResponse can be used. Whenever the requested username, e.g. email, does not exist, the component throws a "password reset link failure" exception, which results in an HTTP "200 Ok" response. An attacker will then no longer be able to tell the difference between a valid or invalid username.
Limitations
The FailedPasswordResetLinkApiResponse is intended for API driven login mechanisms, e.g. when your "request reset password" functionality is implemented via a JSON based API.
How to use
To use the custom API response, register a singleton binding for the FailedPasswordResetLinkRequestResponse interface.
namespace App\Providers;
use Aedart\Auth\Fortify\Responses\FailedPasswordResetLinkApiResponse;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Laravel\Fortify\Contracts\FailedPasswordResetLinkRequestResponse;
class AuthServiceProvider extends ServiceProvider
{
public function boot()
{
$this->app->singleton(
FailedPasswordResetLinkRequestResponse::class,
FailedPasswordResetLinkApiResponse::class
);
}
}