When using the Google identity toolkit with angular and a node backend I stumbled upon the following problem. There is the Password Reset Function to reset a user password and the request is directly sent from the client to the Google API. However, an unauthenticated attacker can enumerate the email addresses of my customers.
POST /identitytoolkit/v3/relyingparty/getOobConfirmationCode
...
{
"requestType":"PASSWORD_RESET",
"email":"peter@smith.de",
"continueUrl":"https://redacted.com/index",
"canHandleCodeInApp":true
}
If the email exists the API answers with HTTP 200 OK and if the email does not exist with HTTP 400. How can I mitigate this Problem? I would like the response of the API to be the same all the time.
