OK, so I have an app that’s been up and working for several months now and have found that there’s a bug with the user’s ability to do a manual password reset if they forget their password. After looking it over, I’m not really sure what’s wrong.
Process works like this: The user clicks ‘forgot password’ link and it generates the popup below.
They type in their email and hit send. Problem comes in here where it won’t stop telling the user that their email doesn’t exist even when it does. I ran into the issue where we can no longer use upper and lower case letters together as there’s a bug in Bubble. I made sure users were using only lowercase letters and that still didn’t change the outcome. So there’s something wrong with the app itself.
Here is the workflow.
When the user clicks the send button, we do a check to see if there is a user with the email that was typed in. If yes, then a password reset email is sent. If no, then a message telling them it doesn’t exist pops up.
Any suggestions on what I should be doing with the privacy rules? Here are my current rules. I did check the box next to email and that didn’t fix the problem. This was working at release with the current settings so I don’t know what’s different.
Try checking the boxes for Find this in searches as well as the email field for everyone else.
The above being said, that probably isn’t the best way to go from a security perspective because you are giving users an interface to see whether or not a particular email address has an account in your system.
Well, as a User who’s forgotten their password obviously can’t be logged in, you’ll need to allow anyone to find the User and see their email field…
So, as @mikeloc says, allow both of those things for anyone in order to make what you’re trying to do work… (whether or not it’s good practice to make User’s email addresses publicly visible is another matter…)
Thank you @mikeloc and @adamhholmes ! Yes, this worked. I first checked both Find this in and the email field for everyone else. That made it work. Then I removed the email field and republished, and it still worked with just the one checked. So we’re able to get around the security risk there. Only thing I can think of is I tested this with different privacy settings in development and then launched. So it was flawed from the outset and I never caught it until a user found it.
You could also tell the user “If this email address is in our system you will receive a message with a reset password link”.
That way you aren’t exposing any sensitive information, nor giving incorrect info.
Agreed… that’s a more secure way to do things, and certainly what you see from most website nowadays (in my experience at least)…
That would be easy enough to change and if you all think it’s more secure, I’m certainly up for it. I’m always concerned about security issues which is why I tried to lock things down best I could before launch and probably made issues for this post. Thanks for the idea!
I use search for, with the constraint for the email address but check only if the first item is empty, rather than count is 0
Then all I need to do is enable it to be found in searches rather than show the field it searches for in the privacy settings. Not sure if this the expected result but it works and only returns a unique ID keeping the user email invisible.
The above solution is the way forward for your issue regarding visually confirming an email address exists in your dataset.
