Improve manager forgot login activation error messaging

[smg6511]

What does it do?

Created a new, more explicit lexicon for condition where a mail failure occurs when attempting to send a new password activation email.

Why is it needed?

The original message shown appears incomplete.

How to test

1. While logged in, clear modx cache to ensure new lexicon is picked up
2. Ensure your system settings for sending mail are set in a way that will trigger a mail server error (e.g., specify an incorrect port)
3. Logout and click "Forgot your password?"
4. Enter an email of any legitimate manager user
5. Verify a new, more clear error message shows when clicking "Send Activation Email"

Related issue(s)/PR(s)

Resolves #13951

[opengeek]

I'm having trouble reviewing this as I am seemingly unable to cause a mail server error even before checking out this PR to test.

[smg6511]

seemingly unable to cause a mail server error

I just set my mail_smtp_hosts sys setting to a non-valid host (in my case localhost:1020)

[opengeek]

Now my concern is that the error only shows if you enter a valid username/email address. If I put in an invalid username/email address, the regular success message shows. This could be a way of allowing bad actors to test for usernames/email addresses.

[smg6511]

Now my concern is that the error only shows if you enter a valid username/email address.

Yeah, and that's the way it has been; I didn't make a change toward that behavior. Here's the thing though: IMO being vague about whether someone's login attempt is being made with a valid user (name/email) probably isn't providing much security.

I actually find it incredibly annoying as a user (in reference to other sites, particularly ones I have an account for but may not have visited for a long time) when I go through a forgot/send me my password process that responds with "if you have an account with us you'll receive an email with..." — just tell me if I don't have an account by X name; it gives you the hint to look more carefully at what you submitted (was there a small typo, etc?). A decent amount of the time I'll know I entered the correct info for at least a previously active account and get no response, presumably because of problems in the site's notification system.

Anyway, that's my soapbox on the matter—just giving my perspective and not necessarily a hard argument one way or the other ;-) In any case, how about I go ahead and make the frontend feedback a little more general and provide a log message that gives the sys admin a better hint of what's going on?

[opengeek]

Yeah, and that's the way it has been; I didn't make a change toward that behavior. Here's the thing though: IMO being vague about whether someone's login attempt is being made with a valid user (name/email) probably isn't providing much security.

I actually find it incredibly annoying as a user (in reference to other sites, particularly ones I have an account for but may not have visited for a long time) when I go through a forgot/send me my password process that responds with "if you have an account with us you'll receive an email with..." — just tell me if I don't have an account by X name; it gives you the hint to look more carefully at what you submitted (was there a small typo, etc?). A decent amount of the time I'll know I entered the correct info for at least a previously active account and get no response, presumably because of problems in the site's notification system.

I won't argue how much security it provides, but it is a commonly known vulnerability when a site exposes a valid username/email address from user input like this. This gives an attacker a way to narrow down attempts to crack the password for a known user.

Anyway, that's my soapbox on the matter—just giving my perspective and not necessarily a hard argument one way or the other ;-) In any case, how about I go ahead and make the frontend feedback a little more general and provide a log message that gives the sys admin a better hint of what's going on?

I'll take this as-is and figure out if exposing a valid user this way can be avoided here some other way.