Remove now-dead error response path

jasonvarga · claude · jasonvarga · commit 9d425694f47b · 2026-04-22T15:48:18.000-04:00
After password reset responses are normalized to always succeed, the
failure path in sendResetLinkFailedResponse is unreachable with the
default broker. Drop it along with the obsolete external-URL test that
relied on it.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/Auth/SendsPasswordResetEmails.php b/src/Auth/SendsPasswordResetEmails.php
@@ -37,24 +37,12 @@ public function sendResetLinkEmail(Request $request)
     {
         $this->validateEmail($request);
 
-        // We will send the password reset link to this user. Once we have attempted
-        // to send the link, we will examine the response then see the message we
-        // need to show to the user. Finally, we'll send out a proper response.
-        $response = $this->broker()->sendResetLink(
-            $this->credentials($request)
-        );
+        // Always return the generic "reset link sent" response regardless of the broker's
+        // actual result. INVALID_USER and RESET_THROTTLED would each reveal whether the
+        // email belongs to a registered account (the broker only throttles real users).
+        $this->broker()->sendResetLink($this->credentials($request));
 
-        // Treat "no such user" and "throttled" the same as a successful send so the
-        // response does not reveal whether the email belongs to a registered account.
-        // The broker only throttles real users, so a throttled response would itself
-        // be an enumeration oracle.
-        if (in_array($response, [Password::INVALID_USER, Password::RESET_THROTTLED], true)) {
-            $response = Password::RESET_LINK_SENT;
-        }
-
-        return $response === Password::RESET_LINK_SENT
-            ? $this->sendResetLinkResponse($request, $response)
-            : $this->sendResetLinkFailedResponse($request, $response);
+        return $this->sendResetLinkResponse($request, Password::RESET_LINK_SENT);
     }
 
     /**
@@ -105,31 +93,6 @@ protected function sendResetLinkResponse(Request $request, $response)
             : $redirect->with('status', trans($response));
     }
 
-    /**
-     * Get the response for a failed password reset link.
-     *
-     * @param  string  $response
-     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
-     */
-    protected function sendResetLinkFailedResponse(Request $request, $response)
-    {
-        $errorRedirect = $request->input('_error_redirect');
-
-        $redirect = $errorRedirect && ! URL::isExternalToApplication($errorRedirect)
-            ? redirect($errorRedirect)
-            : back();
-
-        if ($request->wantsJson()) {
-            throw ValidationException::withMessages([
-                'email' => [trans($response)],
-            ]);
-        }
-
-        return $redirect
-            ->withInput($request->only('email'))
-            ->withErrors(['email' => trans($response)], 'user.forgot_password');
-    }
-
     /**
      * Get the broker to be used during password reset.
      *
diff --git a/tests/Tags/User/ForgotPasswordFormTest.php b/tests/Tags/User/ForgotPasswordFormTest.php
@@ -273,18 +273,6 @@ public function it_wont_follow_redirect_to_external_url()
             ->assertLocation('/forgot-password');
     }
 
-    #[Test]
-    public function it_wont_follow_redirect_to_external_url_on_error()
-    {
-        $this
-            ->from('/forgot-password')
-            ->post('/!/auth/password/email', [
-                'email' => 'not-an-email',
-                '_error_redirect' => 'https://external-site.com/phishing',
-            ])
-            ->assertLocation('/forgot-password');
-    }
-
     #[Test]
     public function it_will_use_redirect_query_param_off_url()
     {
