JulianAlcala fad2c8792c refactor(recover_password): type API errors and hide email enumeration ...

Map PUT /auth/reset-password and PUT /auth/recovery-password failures
into LegacyRecoverPasswordErrorEvent. Reset-password now treats 404
(email not found) as success and surfaces a generic sent-if-exists
flow, closing an account enumeration vector. Recovery-password
differentiates 401 (tokenExpired), 404 (tokenNotFound), 403+Property
(invalidField) from 403 without Property (weakPassword). The view
state splits validation vs API errors with a displayErrorKey extension
for the inline error text.

2026-04-17 11:12:14 +02:00

48 KiB

Executable File

Raw Blame History

View Raw