Skip to content

Keep password recovery generic when email delivery is unavailable#2370

Open
DivyamTalwar wants to merge 1 commit into
fastapi:masterfrom
DivyamTalwar:fix/password-recovery-disabled-email-final
Open

Keep password recovery generic when email delivery is unavailable#2370
DivyamTalwar wants to merge 1 commit into
fastapi:masterfrom
DivyamTalwar:fix/password-recovery-disabled-email-final

Conversation

@DivyamTalwar

Copy link
Copy Markdown

Summary

This keeps /password-recovery/{email} on the same generic HTTP response when reset email delivery is unavailable.

The route now:

  • returns the generic password-recovery response without looking up a user when email delivery is not configured
  • only generates and sends a reset email when delivery is configured and the user exists
  • returns the same generic response if reset-token generation, email-template generation, or send_email() raises

Why

The endpoint already returns a generic response for unknown emails. Before this change, an existing user could still hit an internal error when SMTP settings were disabled because send_email() requires email delivery settings to be configured.

This avoids status/body-based differences for disabled-email and reset-email failure paths. It does not try to equalize timing between existing and non-existing users, and it does not guarantee that an email was delivered.

Tests

  • cd backend && uv run --no-sync ruff check app/api/routes/login.py tests/api/routes/test_login.py — passed
  • cd backend && uv run --no-sync ruff format --check app/api/routes/login.py tests/api/routes/test_login.py — passed
  • cd backend && uv run --no-sync pytest tests/api/routes/test_login.py --collect-only -q — passed, collected 13 tests
  • cd backend && uv run --no-sync bash scripts/prestart.sh && uv run --no-sync pytest tests/api/routes/test_login.py -q — passed, 13 tests passed with a temporary local postgres:18-alpine service

I did not complete the full GitHub Actions-equivalent stack locally; CI should cover the Compose/mailcatcher/coverage/Playwright surfaces.

Notes

No existing issue. I checked the current open upstream issues and PRs for password recovery / SMTP / disabled email / send_email duplicates and did not find a matching open item.

Password recovery returned the same generic response for unknown accounts, but existing accounts could still fail when SMTP was disabled or the reset-email side-effect path raised. This keeps the endpoint response stable, skips the email workflow when delivery is not configured, and avoids adding account-conditioned recovery logs.

Constraint: Upstream has no open issue for this and the repo permits focused direct bug-fix PRs.
Rejected: Backgrounding password recovery delivery | That is a broader architecture change beyond this focused response-uniformity fix.
Confidence: high
Scope-risk: narrow
Directive: Keep password recovery HTTP responses generic for disabled or failing email delivery.
Tested: uv run --no-sync ruff check app/api/routes/login.py tests/api/routes/test_login.py
Tested: uv run --no-sync ruff format --check app/api/routes/login.py tests/api/routes/test_login.py
Tested: uv run --no-sync pytest tests/api/routes/test_login.py --collect-only -q
Tested: temporary postgres:18-alpine + uv run --no-sync pytest tests/api/routes/test_login.py -q
Not-tested: Latest full backend workflow-equivalent suite after refinement; rely on GitHub Actions for Compose/mailcatcher/coverage/Playwright surfaces.
@DivyamTalwar

Copy link
Copy Markdown
Author

Thanks! The code/test checks are green; the remaining failed check is the repository label gate requiring one of the release labels. This looks like a bug-fix PR, but I do not have permission to apply labels to the upstream PR. A maintainer can unblock that check by adding the bug label if that classification looks right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants