[SYNCOPE-1974] Avoid password reset user enumeration

client/idrepo/enduser/src/main/resources/org/apache/syncope/client/enduser/pages/SelfPasswordReset.properties

@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 password-reset=Password reset
-self.pwd.reset.success=Your password has been reset successfully!
-self.pwd.reset.success.msg=An email has been sent to your address.
+self.pwd.reset.success=Password reset process started
+self.pwd.reset.success.msg=If an account matching the provided information exists, password reset instructions will be sent to the associated email address in a few seconds.
 self.pwd.reset.error=Error during password reset!
 self.pwd.reset.error.msg=Try again or contact an administrator.

client/idrepo/enduser/src/main/resources/org/apache/syncope/client/enduser/pages/SelfPasswordReset_fr_CA.properties

@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 password-reset=Password reset
-self.pwd.reset.success=Your password has been reset successfully!
-self.pwd.reset.success.msg=An email has been sent to your address.
+self.pwd.reset.success=Password reset process started
+self.pwd.reset.success.msg=If an account matching the provided information exists, password reset instructions will be sent to the associated email address in a few seconds.
 self.pwd.reset.error=Error during password reset!
 self.pwd.reset.error.msg=Try again or contact an administrator.

client/idrepo/enduser/src/main/resources/org/apache/syncope/client/enduser/pages/SelfPasswordReset_it.properties

@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 password-reset=Reset della password
-self.pwd.reset.success=La password \u00e8 stata resettata con successo
-self.pwd.reset.success.msg=Una email \u00e8 stata inviata all'indirizzo configurato
+self.pwd.reset.success=Processo di reset password avviato
+self.pwd.reset.success.msg=Se esiste un account corrispondente alle informazioni fornite, le istruzioni per il reset della password verranno inviate all'indirizzo email associato entro pochi secondi.
 self.pwd.reset.error=Error during password reset!
 self.pwd.reset.error.msg=Try again or contact an administrator.

client/idrepo/enduser/src/main/resources/org/apache/syncope/client/enduser/pages/SelfPasswordReset_ja.properties

@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 password-reset=\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u30ea\u30bb\u30c3\u30c8
-self.pwd.reset.success=\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u30ea\u30bb\u30c3\u30c8\u3057\u307e\u3057\u305f
-self.pwd.reset.success.msg=An email has been sent to your address.
+self.pwd.reset.success=Password reset process started
+self.pwd.reset.success.msg=If an account matching the provided information exists, password reset instructions will be sent to the associated email address in a few seconds.
 self.pwd.reset.error=Error during password reset!
 self.pwd.reset.error.msg=Try again or contact an administrator.

client/idrepo/enduser/src/main/resources/org/apache/syncope/client/enduser/pages/SelfPasswordReset_pt_BR.properties

@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 password-reset=Resetar a senha
-self.pwd.reset.success=Senha redefinida com sucesso
-self.pwd.reset.success.msg=An email has been sent to your address.
+self.pwd.reset.success=Password reset process started
+self.pwd.reset.success.msg=If an account matching the provided information exists, password reset instructions will be sent to the associated email address in a few seconds.
 self.pwd.reset.error=Error during password reset!
 self.pwd.reset.error.msg=Try again or contact an administrator.

client/idrepo/enduser/src/main/resources/org/apache/syncope/client/enduser/pages/SelfPasswordReset_ru.properties

@@ -15,7 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 password-reset=\u0412\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0430\u0440\u043e\u043b\u044f
-self.pwd.reset.success=\u041f\u0430\u0440\u043e\u043b\u044c \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0441\u0431\u0440\u043e\u0448\u0435\u043d
-self.pwd.reset.success.msg=An email has been sent to your address.
+self.pwd.reset.success=Password reset process started
+self.pwd.reset.success.msg=If an account matching the provided information exists, password reset instructions will be sent to the associated email address in a few seconds.
 self.pwd.reset.error=Error during password reset!
 self.pwd.reset.error.msg=Try again or contact an administrator.

core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/UserSelfLogic.java

@@ -315,7 +315,7 @@ public void confirmPasswordReset(final String token, final String password) {
         }
 
         String key = userDAO.findByToken(token).
-                orElseThrow(() -> new NotFoundException("User with token " + token));
+                orElseThrow(() -> new NotFoundException("User"));
 
         provisioningManager.confirmPasswordReset(
                 key, token, password, AuthContextUtils.getUsername(), REST_CONTEXT);

core/spring/src/main/java/org/apache/syncope/core/spring/security/SecurityProperties.java

@@ -174,6 +174,8 @@ public void setUseLenientSaltSizeCheck(final boolean useLenientSaltSizeCheck) {
 
     private final ThrottleProperties authenticationThrottle = new ThrottleProperties();
 
+    private boolean passwordResetHideDetails = true;
+
     private final ThrottleProperties passwordResetThrottle = new ThrottleProperties();
 
     private final AuthenticationErrorProperties authenticationError = new AuthenticationErrorProperties();
@@ -272,6 +274,14 @@ public SecurityProperties.ThrottleProperties getAuthenticationThrottle() {
         return authenticationThrottle;
     }
 
+    public boolean isPasswordResetHideDetails() {
+        return passwordResetHideDetails;
+    }
+
+    public void setPasswordResetHideDetails(final boolean passwordResetHideDetails) {
+        this.passwordResetHideDetails = passwordResetHideDetails;
+    }
+
     public ThrottleProperties getPasswordResetThrottle() {
         return passwordResetThrottle;
     }

core/starter/src/main/resources/core.properties

@@ -107,6 +107,8 @@ security.authenticationThrottle.maxAttempts=5
 security.authenticationThrottle.windowSeconds=60
 security.authenticationThrottle.lockSeconds=60
 
+security.passwordResetHideDetails=true
+
 security.passwordResetThrottle.enabled=true
 security.passwordResetThrottle.maxAttempts=5
 security.passwordResetThrottle.windowSeconds=300

fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserSelfITCase.java

@@ -351,12 +351,12 @@ public void passwordReset() throws Exception {
         assertNotNull(read);
 
         // 3. request password reset (as anonymous) providing the expected security answer
-        try {
-            ANONYMOUS_CLIENT.getService(UserSelfService.class).requestPasswordReset(user.getUsername(), "WRONG");
-            fail("This should not happen");
-        } catch (SyncopeClientException e) {
-            assertEquals(ClientExceptionType.InvalidSecurityAnswer, e.getType());
-        }
+        SyncopeClientException e = assertThrows(
+                SyncopeClientException.class,
+                () -> ANONYMOUS_CLIENT.getService(UserSelfService.class).
+                        requestPasswordReset(user.getUsername(), "WRONG"));
+        assertEquals(ClientExceptionType.InvalidSecurityAnswer, e.getType());
+
         ANONYMOUS_CLIENT.getService(UserSelfService.class).requestPasswordReset(user.getUsername(), "Rossi");
 
         awaitIfExtSearchEnabled();
@@ -372,13 +372,13 @@ public void passwordReset() throws Exception {
                 StringUtils::isNotBlank);
 
         // 5. confirm password reset
-        try {
-            ANONYMOUS_CLIENT.getService(UserSelfService.class).confirmPasswordReset("WRONG TOKEN", "newPassword");
-            fail("This should not happen");
-        } catch (SyncopeClientException e) {
-            assertEquals(ClientExceptionType.NotFound, e.getType());
-            assertTrue(e.getMessage().contains("WRONG TOKEN"));
-        }
+        e = assertThrows(
+                SyncopeClientException.class,
+                () -> ANONYMOUS_CLIENT.getService(UserSelfService.class).
+                        confirmPasswordReset("WRONG TOKEN", "newPassword"));
+        assertEquals(ClientExceptionType.NotFound, e.getType());
+        assertFalse(e.getMessage().contains("WRONG TOKEN"));
+
         ANONYMOUS_CLIENT.getService(UserSelfService.class).confirmPasswordReset(token, "newPassword123");
 
         if (!IS_NEO4J_PERSISTENCE) {
@@ -445,13 +445,13 @@ public void passwordResetWithoutSecurityQuestion() {
         assertNotNull(token);
 
         // 5. confirm password reset
-        try {
-            ANONYMOUS_CLIENT.getService(UserSelfService.class).confirmPasswordReset("WRONG TOKEN", "newPassword");
-            fail("This should not happen");
-        } catch (SyncopeClientException e) {
-            assertEquals(ClientExceptionType.NotFound, e.getType());
-            assertTrue(e.getMessage().contains("WRONG TOKEN"));
-        }
+        SyncopeClientException e = assertThrows(
+                SyncopeClientException.class,
+                () -> ANONYMOUS_CLIENT.getService(UserSelfService.class).
+                        confirmPasswordReset("WRONG TOKEN", "newPassword"));
+        assertEquals(ClientExceptionType.NotFound, e.getType());
+        assertFalse(e.getMessage().contains("WRONG TOKEN"));
+
         ANONYMOUS_CLIENT.getService(UserSelfService.class).confirmPasswordReset(token, "newPassword123");
 
         // 6. verify that password was reset and token removed