New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement token expiration logic for password reset #881

Closed
natt-tester opened this Issue Aug 28, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@natt-tester

natt-tester commented Aug 28, 2018

Steps:

  1. As a user I request a password reset several times ("Forgot your password?" flow)
  2. I use the most recent one and change my password
  3. I click one of the older ones

Expected: I shouldn't be able to use any older token as the most recent one has already been used. Only the most recent token should be valid for security reasons.

Actual: I'm able to use all of the older tokens to change the password and log in to CE.

@yurem

This comment has been minimized.

Contributor

yurem commented Sep 1, 2018

Implemented. In JSON oxTrust configuration I added new 2 properties to control this new functionality:
passwordResetRequestExpirationTime //E xpiration time in seconds for password reset requests.
cleanServiceInterval // Time interval for the Clean Service in seconds.

Old code not removed expired request from LDAP at all. Also token expiration time was 2 hours and it was hardcoded.

@yurem

This comment has been minimized.

Contributor

yurem commented Sep 1, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment