我有一个处理程序来启动密码重置。它总是返回成功的 200 状态码,因此攻击者无法使用它来找出数据库中存储了哪些电子邮件地址。问题是,如果数据库中有一封电子邮件,则需要一段时间才能完成请求(阻止用户查找并发送带有重置令牌的实际电子邮件)。如果用户不在数据库中,请求会很快返回,因此被攻击者会知道电子邮件不存在。
在后台处理请求时,我将如何立即返回 HTTP 响应?
pub async fn forgot_password_handler(
email_from_path: web::Path<String>,
pool: web::Data<Pool>,
redis_client: web::Data<redis::Client>,
) -> HttpResponse {
let conn: &PgConnection = &pool.get().unwrap();
let email_address = &email_from_path.into_inner();
// search for user with email address in users table
match users.filter(email.eq(email_address)).first::<User>(conn) {
Ok(user) => {
// some stuff omitted.. this is what happens:
// create random token for user and store a hash of it in redis (it'll expire after some time)
// send email with password reset link and token (not hashed) to client
// then return with
HttpResponse::Ok().finish(),
}
_ => HttpResponse::Ok().finish(),
}
}