From 8ca053fad3c5b831ec50f6cdc1386f3fb8b3f870 Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Mon, 9 Oct 2023 12:47:43 +0300
Subject: [PATCH] fix: respect "Ignore unknown usernames" on password reset

Merge pull request from GHSA-v683-rcxx-vpff

(cherry picked from commit 54676eda9806634d3b249541c30f979b4b0dce21)
---
 internal/api/ui/login/password_reset_handler.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/internal/api/ui/login/password_reset_handler.go b/internal/api/ui/login/password_reset_handler.go
index 90da71d263..c85ca97b74 100644
--- a/internal/api/ui/login/password_reset_handler.go
+++ b/internal/api/ui/login/password_reset_handler.go
@@ -25,6 +25,9 @@ func (l *Login) handlePasswordReset(w http.ResponseWriter, r *http.Request) {
 	}
 	user, err := l.query.GetUser(setContext(r.Context(), authReq.UserOrgID), true, false, loginName)
 	if err != nil {
+		if authReq.LoginPolicy.IgnoreUnknownUsernames && errors.IsNotFound(err) {
+			err = nil
+		}
 		l.renderPasswordResetDone(w, r, authReq, err)
 		return
 	}