Hi there, first of all thank you for this amazing gem.
I was looking at the SendPasswordReset mutation (https://github.com/graphql-devise/graphql_devise/blob/master/lib/graphql_devise/mutations/send_password_reset.rb), and I can see that it returns an "authenticatable" instance.
Is this a security issue? Can somebody just request something like this and get private information about the user? (Asumming he knows the e-mail)
mutation {
userSendPasswordReset(email: "john@doe.com", redirectUrl: "http://someurl.com") {
authenticatable {
email
id
firstName
lastName
...otherPrivateInfo
}
}
}
Let me know if I'm getting it right, so I can perform a pull request in order to fix this issue.
Thank you.
Hi there, first of all thank you for this amazing gem.
I was looking at the SendPasswordReset mutation (https://github.com/graphql-devise/graphql_devise/blob/master/lib/graphql_devise/mutations/send_password_reset.rb), and I can see that it returns an "authenticatable" instance.
Is this a security issue? Can somebody just request something like this and get private information about the user? (Asumming he knows the e-mail)
mutation {
userSendPasswordReset(email: "john@doe.com", redirectUrl: "http://someurl.com") {
authenticatable {
email
id
firstName
lastName
...otherPrivateInfo
}
}
}
Let me know if I'm getting it right, so I can perform a pull request in order to fix this issue.
Thank you.