1

I'm building a web app in Node.js, Express, and Mongoose. I'm worried about security and optimization issues on what to send in the email link.

I see many of them sending: /:userId/:token, but if I would insert in the link only the token it wouldn't be the same? I thought that because in this way userId isn't shown in the email (more secure).

dungarian
  • 107
  • 3
anto12345
  • 11
  • 1

1 Answers1

1

Usually user IDs (user names, login names) are not considered as secret.

  1. If user needs to contact service desk to resolve some problem, user ID should be named. Thus, unlike password, user ID is considered to be known to many persons.
  2. If an attacker gets access to the application database, all data will be known except passwords (if passwords are properly hashed).
  3. If the attacker wants to force user to reset password, e.g. by trying intentionally wrong password many times, then attacker would first find out user ID. Thus hiding it would make no sense.
  4. In some cases it can be desirable to prevent disclosure of relation of particular person to particular web site. But if the attacker intercepted the Email, such relation becomes clear, no matter if the Email contains user ID.

Thus it has no particular security advantage, if the password reset link doesn't contain user ID.

mentallurg
  • 8,536
  • 4
  • 26
  • 41