requested changes

2025-03-29 22:02:57 +00:00 · 2025-03-07 19:59:29 +04:00
parent c48c9ae628
commit 67f2e4671a
2 changed files with 26 additions and 28 deletions
--- a/backend/src/services/auth/auth-password-service.ts
+++ b/backend/src/services/auth/auth-password-service.ts
@ -119,35 +119,31 @@ export const authPaswordServiceFactory = ({
   * Email password reset flow via email. Step 1 send email
   */
  const sendPasswordResetEmail = async (email: string) => {
-    const startTime = Date.now();
+    const sendEmail = async () => {
+      const user = await userDAL.findUserByUsername(email);

-    const user = await userDAL.findUserByUsername(email);
+      if (user && user.isAccepted) {
+        const cfg = getConfig();
+        const token = await tokenService.createTokenForUser({
+          type: TokenType.TOKEN_EMAIL_PASSWORD_RESET,
+          userId: user.id
+        });

-    if (user && user.isAccepted) {
-      const cfg = getConfig();
-      const token = await tokenService.createTokenForUser({
-        type: TokenType.TOKEN_EMAIL_PASSWORD_RESET,
-        userId: user.id
-      });
+        await smtpService.sendMail({
+          template: SmtpTemplates.ResetPassword,
+          recipients: [email],
+          subjectLine: "Infisical password reset",
+          substitutions: {
+            email,
+            token,
+            callback_url: cfg.SITE_URL ? `${cfg.SITE_URL}/password-reset` : ""
+          }
+        });
+      }
+    };

-      await smtpService.sendMail({
-        template: SmtpTemplates.ResetPassword,
-        recipients: [email],
-        subjectLine: "Infisical password reset",
-        substitutions: {
-          email,
-          token,
-          callback_url: cfg.SITE_URL ? `${cfg.SITE_URL}/password-reset` : ""
-        }
-      });
-    }
-
-    const elapsedTime = Date.now() - startTime;
-    // daniel: ensure each request takes 8 seconds to prevent timing attacks
-    if (elapsedTime < 8_000) {
-      // eslint-disable-next-line no-promise-executor-return
-      await new Promise((resolve) => setTimeout(resolve, 8_000 - elapsedTime));
-    }
+    // note(daniel): run in background to prevent timing attacks
+    void sendEmail();
  };

  /*
--- a/frontend/src/pages/auth/VerifyEmailPage/VerifyEmailPage.tsx
+++ b/frontend/src/pages/auth/VerifyEmailPage/VerifyEmailPage.tsx
@ -103,8 +103,10 @@ export const VerifyEmailPage = () => {
            Look for an email in your inbox.
          </p>
          <div className="mt-4 flex flex-row items-center justify-center md:mx-2 md:pb-4">
-            <p className="flex w-max justify-center text-center text-sm text-gray-400">
-              An email with instructions has been sent to {email}.
+            <p className="w-max text-center text-sm text-gray-400">
+              If the email is in our system, you will receive an email at{" "}
+              <span className="italic">{email}</span> with instructions on how to reset your
+              password.
            </p>
          </div>
        </div>