Skip to content

Hardening: can we enable allauth enumeration prevention? #3043

Description

@gpshead

Is your feature request related to a problem? Please describe.

pydotorg/settings/base.py:104 sets:

# TODO: Enable enumeration prevention
ACCOUNT_PREVENT_ENUMERATION = False

With enumeration prevention off (and ACCOUNT_AUTHENTICATION_METHOD = "username_email"), the signup, login, and password-reset flows each confirm whether a given email address or username has a python.org account. A standard reconnaissance primitive.

Describe the solution you'd like

Anything preventing flipping it to True?

Drawbacks and Impact

it'd provide less feedback for password-reset typos and such.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementThis is an improvement to existing code or configuration

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions