From 3463f4eab67aec983e7efda08140559ac56d745f Mon Sep 17 00:00:00 2001
From: Ed Chipman <UndefinedOffset@users.noreply.github.com>
Date: Thu, 4 Jan 2018 04:43:41 -0400
Subject: [PATCH] Lost pass disclosure fix (#89)

FIX for issue #88 response from RESTfulAPI_TokenAuthenticator::lostPassword() is now the same regardless whether an email was sent or not
---
 code/authenticator/RESTfulAPI_TokenAuthenticator.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/code/authenticator/RESTfulAPI_TokenAuthenticator.php b/code/authenticator/RESTfulAPI_TokenAuthenticator.php
index 5689ffe..7675fa9 100644
--- a/code/authenticator/RESTfulAPI_TokenAuthenticator.php
+++ b/code/authenticator/RESTfulAPI_TokenAuthenticator.php
@@ -217,7 +217,6 @@ public function lostPassword(SS_HTTPRequest $request)
   {
       $email = Convert::raw2sql($request->requestVar('email'));
       $member = DataObject::get_one('Member', "\"Email\" = '{$email}'");
-      $sent = true;
 
       if ($member) {
           $token = $member->generateAutologinTokenAndStoreHash();
@@ -228,10 +227,10 @@ public function lostPassword(SS_HTTPRequest $request)
         'PasswordResetLink' => Security::getPasswordResetLink($member, $token)
       ));
           $e->setTo($member->Email);
-          $sent = $e->send();
+          $e->send();
       }
 
-      return array( 'email' => $sent );
+      return array( 'done' => true );
   }