Commit
Close password-reset timing side channel; fix stale doc references
Commit details
Commit notes
Defer all account-dependent work (user lookup, token issuance, email) in /forgot-password until after the uniform response is returned, so response timing no longer reveals whether an account exists or which auth provider it uses. Also update CLAUDE.md/AGENTS.md for the removed CSRF middleware and the correct /webhooks/stripe path.
[private session redacted]
- Files changed
- 3
- Lines added
- +68
- Lines removed
- −77