LOADING…
0%
Complete changelog

Commit

Close password-reset timing side channel; fix stale doc references

Commit details

Commit notes

Defer all account-dependent work (user lookup, token issuance, email) in /forgot-password until after the uniform response is returned, so response timing no longer reveals whether an account exists or which auth provider it uses. Also update CLAUDE.md/AGENTS.md for the removed CSRF middleware and the correct /webhooks/stripe path.

[private session redacted]

Files changed
3
Lines added
+68
Lines removed
−77
This page is a permanent record of commit 2e595f64.