Reputation: 1441
what is appropriate status code for wrong email/username when user tries to reset password?
a simple use case - unlogged user tries to reset their password. they provide wrong email or username (but the format of the data is correct). should I return 400, 412 or 404?
Upvotes: 2
Views: 1001
Answers (2)
Reputation: 3515
It depends on whether the password reset resource is public or behind authentication.
The password reset resource that is publicly available should only ever respond with 200 in order to not leak information about which users exist or not. This prevents user enumeration attacks.
You should also make sure the public resource always takes the same amount of time to respond or includes a random delay, so that you don't leak the information through timing.
If the resource is behind authentication, then you may respond with informational errors like 404.
Upvotes: 3
Related Questions
- What's the appropriate HTTP status code to return if a user tries logging in with an incorrect username / password, but correct format?
- What status code should a REST API return for login requests performed with wrong credentials?
- What would be the correct HTTP response for a change password request where the old password entered is incorrect?
- Which HTTP status code to say username or password were incorrect?
- What is the appropriate status code if the user has not provided valid input, as well as an e-mail address that is not available?
- Proper status code to return when login fails
- What status code should I use if old password doesn't match while changing password?
- HTTP status code for "your password did not meet requirements"
- What is the best HTTP status code error for failed password update?
- HTTP status for "email not verified"