fix(core): prevent account enumeration and spam during password reset by boazy · Pull Request #8375 · logto-io/logto

boazy · 2026-02-20T15:33:07Z

This PR addresses two security and operational issues in the password reset flow:

Account Enumeration: Consistently reports "code sent" (204 No Content) regardless of account existence, preventing attackers from identifying valid users.
Spam Prevention: Only triggers actual message delivery via connectors if the identifier (email/phone) is registered in the system. This prevents Logto from being used as a spam relay.

Changes:

Added user existence checks in both additionalRoutes and Experience API sendCode helper.
For ForgotPassword events, if the user doesn't exist, we skip sending the message but still return 204 No Content.
Added an audit log entry (userExists: false) for these non-delivery attempts to help identify potential enumeration attacks.

github-actions · 2026-02-20T15:33:23Z

Total Size Diff 📈 +1.22 KB

Diff by File

Name	Diff
packages/core/src/routes/experience/verification-routes/verification-code-helpers.ts	📈 +506 Bytes
packages/core/src/routes/experience/verification-routes/verification-code.ts	📈 +34 Bytes
packages/core/src/routes/interaction/additional.ts	📈 +707 Bytes

fix(core): prevent account enumeration and spam during password reset

04d16c1

boazy requested review from gao-sun, simeng-li and wangsijie as code owners February 20, 2026 15:33

github-actions bot added the bugfix label Feb 20, 2026

github-actions bot added the size/s label Feb 20, 2026

github-actions bot assigned boazy Feb 20, 2026

Provide feedback