From 20b83b4a7dd55729ee63e2c229ef39f45cf145f9 Mon Sep 17 00:00:00 2001
From: Danielle Maywood <danielle@coder.com>
Date: Tue, 29 Oct 2024 11:26:53 +0000
Subject: [PATCH 1/2] chore: log when attempted password resets fail

---
 coderd/userauth.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/coderd/userauth.go b/coderd/userauth.go
index f1a19d77d23d0..723db6e90da35 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -291,6 +291,8 @@ func (api *API) postRequestOneTimePasscode(rw http.ResponseWriter, r *http.Reque
 		if err != nil {
 			logger.Error(ctx, "unable to notify user about one-time passcode request", slog.Error(err))
 		}
+	} else {
+		logger.Warn(ctx, "password reset requested for account that does not exist", slog.F("email", req.Email))
 	}
 }
 
@@ -381,6 +383,7 @@ func (api *API) postChangePasswordWithOneTimePasscode(rw http.ResponseWriter, r
 
 		now := dbtime.Now()
 		if !equal || now.After(user.OneTimePasscodeExpiresAt.Time) {
+			logger.Warn(ctx, "password reset attempted with invalid one-time passcode", slog.F("email", req.Email))
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 				Message: "Incorrect email or one-time passcode.",
 			})

From 0b013a60c0c34b13cbd27da30fa8e0afe1a8a35e Mon Sep 17 00:00:00 2001
From: Danielle Maywood <danielle@themaywoods.com>
Date: Tue, 29 Oct 2024 12:06:31 +0000
Subject: [PATCH 2/2] chore: update message

Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
---
 coderd/userauth.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/coderd/userauth.go b/coderd/userauth.go
index 723db6e90da35..13f9b088d731f 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -383,7 +383,7 @@ func (api *API) postChangePasswordWithOneTimePasscode(rw http.ResponseWriter, r
 
 		now := dbtime.Now()
 		if !equal || now.After(user.OneTimePasscodeExpiresAt.Time) {
-			logger.Warn(ctx, "password reset attempted with invalid one-time passcode", slog.F("email", req.Email))
+			logger.Warn(ctx, "password reset attempted with invalid or expired one-time passcode", slog.F("email", req.Email))
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 				Message: "Incorrect email or one-time passcode.",
 			})