Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password Management Token & Server/Client IP Address check #4692

merged 11 commits into from Feb 14, 2020


Copy link

julienhuon commented Feb 12, 2020


Hello Misagh

When you're using the reset password feature, a Token is generated and sent inside a hyperlink by email or SMS.

The Token contains the client IPaddress who requested the reset and the server IP adress who received it.

If the link is used by another client IP address or processed by another server IP address than the ones contains in the Token, the reset will fail.

Problem: When you're running cas inside a container orchestrator like Kubernetes :

  • It could be difficult to stick a user to a specific container
  • A container could have a very short life (less than the token TTL) because of horizontal autoscaling

This pull request adds the capability to disable the check of the server IP address. It also adds the capability to disable to check of the client IP address if needed.

Let me know if you need any further information.


…of the client/server ip address.

This comment has been minimized.

Copy link

codecov bot commented Feb 13, 2020

Codecov Report

Merging #4692 into 6.1.x will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##              6.1.x    #4692   +/-   ##
  Coverage     36.25%   36.25%           
  Complexity     5829     5829           
  Files          2579     2579           
  Lines         52537    52537           
  Branches       4177     4177           
  Hits          19049    19049           
  Misses        32069    32069           
  Partials       1419     1419

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f07ac96...9e76aae. Read the comment docs.

Copy link

mmoayyed left a comment

Thanks very much for the patch and notes. LGTM. Additional comments follow.

apereocas-bot and others added 8 commits Feb 13, 2020
@julienhuon julienhuon requested a review from mmoayyed Feb 13, 2020
@mmoayyed mmoayyed merged commit e20933f into apereo:6.1.x Feb 14, 2020
4 of 5 checks passed
4 of 5 checks passed
continuous-integration/travis-ci/pr The Travis CI build failed
Codacy/PR Quality Review Up to standards. A positive pull request.
Summary no rules match, no planned actions
WIP Ready for review
license/cla Contributor License Agreement is signed.
mmoayyed pushed a commit that referenced this pull request Feb 14, 2020
…ement Token & Server/Client IP Address check (#4692)

*  Password Management Token : Add the capability to disable the check of the client/server ip address.

* code improvement

Co-authored-by: apereocas-bot <>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.