[PM-30563] Change error response on Send Access token request #6911
+27
−27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…required to protect against enumeration attacks.
test: updating tests to match new approach.
Contributor
|
New Issues (2)Checkmarx found the following issues in this Pull Request
Fixed Issues (29)Great job! The following issues were fixed in this Pull Request
|
ike-kottlowski
changed the title
Contributor
|
Claude finished @ike-kottlowski's task in 2m 25s —— View job Code Review: PM-30563 - Change error response on Send Access token requestStatus: Approved SummaryThis PR improves enumeration protection for the Send access email OTP flow by ensuring identical error responses regardless of whether an email address is valid. This is a well-implemented security improvement. Re-Review NotesThis is a re-review following a merge from main (commit 1a889ac) which incorporated PR #6921's changes to use email hashes instead of plain emails. The merge was clean and the enumeration protection logic remains correctly implemented. Changes Reviewed
Security VerificationThe enumeration protection is correctly implemented:
An attacker cannot distinguish whether an email exists in the Send's allowed list based on the response alone. Code Quality
No Issues FoundThis is a clean, focused security improvement that follows best practices for enumeration protection. Reviewed by Claude Code |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6911 +/- ##
==========================================
- Coverage 60.01% 56.07% -3.95%
==========================================
Files 1971 1971
Lines 87090 87089 -1
Branches 7759 7759
==========================================
- Hits 52266 48833 -3433
- Misses 32928 36449 +3521
+ Partials 1896 1807 -89 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
PM-30563
SDK PR: #717
Client PR: #18620
📔 Objective
To ensure that we return the same response for a valid and invalid email, while still sending the OTP to when the email is correct.
⏰ Reminders before review
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes