Reputation: 3188
How can I customise Laravel Fortify forgotten password behaviour?
My application is built from a Jetstream starter kit, and uses Laravel Fortify for authentication.
The forgotten password behaviour is considered a security risk as it allows username enumeration. For example - the message for a recognised username is different from that of an unrecognised one. Therefore offering feedback to an attacker as to whether an email address is registered or not.
I'd like to change this behaviour, but can't work out where to do this. Ideally, this would be configurable - but I can't see any config settings that look like they would help.
Another thing I'd like to acheive is to set some random timeouts after authentication actions. So the average response times can't be used to indicate success/failure in email address lookup. I assume I will be able to acheive this in a similar location to my first requirement.
Upvotes: 0
Views: 57
Answers (0)
Related Questions
- How to create custom helper functions in Laravel
- How to secure MongoDB with username and password
- How can I remove a package from Laravel using PHP Composer?
- How to reset Django admin password?
- How to Create Multiple Where Clause Query Using Laravel Eloquent?
- Laravel Fortify :: Calling `updatePassword()` function through Livewire
- Fortify - How to customise verification / password reset emails?
- Redirect logged-in User to Profile Page (to Enable 2-factor) in Laravel Jetstream / Fortify?