Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: password reset leaks user existence #3616

Merged
merged 11 commits into from Sep 14, 2022
Merged

fix: password reset leaks user existence #3616

merged 11 commits into from Sep 14, 2022

Conversation

SychO9
Copy link
Member

@SychO9 SychO9 commented Aug 24, 2022
edited

Part of the security roadmap

Changes proposed in this pull request:

  • Removes unknown user error, throws a validation error instead.
  • Moves password reset logic to a job to prevent leak by duration.

Reviewers should focus on:
I wonder if we should drop the command and move it to the controller now that we also added a job. Would that be a possible breaking change?

Necessity

  • Has the problem that is being solved here been clearly explained?
  • If applicable, have various options for solving this problem been considered?
  • For core PRs, does this need to be in core, or could it be in an extension?
  • Are we willing to maintain this for years / potentially forever?

Confirmed

  • Frontend changes: tested on a local Flarum installation.
  • Backend changes: tests are green (run composer test).
  • Core developer confirmed locally this works as intended.
  • Tests have been added, or are not appropriate here.

SychO9 and others added 5 commits August 24, 2022 14:03
@SychO9
test: request password reset does not leak user existence
1a5e481 
Signed-off-by: Sami Mazouz <ilyasmazouz@gmail.com>
@SychO9
fix: request password leaks user existence
43e6590 
Signed-off-by: Sami Mazouz <ilyasmazouz@gmail.com>
@SychO9
chore: add comment
4bb15c6 
Signed-off-by: Sami Mazouz <ilyasmazouz@gmail.com>
@SychO9
fix: prevent leaking user existence by duration.
8a4d338 
Signed-off-by: Sami Mazouz <ilyasmazouz@gmail.com>
@StyleCIBot
Apply fixes from StyleCI
ba25b35
@SychO9
fix(review): don't throw any errors at all if the user does not exist
22d2c6b 
Signed-off-by: Sami Mazouz <ilyasmazouz@gmail.com>
davwheat
davwheat reviewed Aug 24, 2022
View reviewed changes
Copy link
Member

@davwheat davwheat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want to consider sending emails to users when their emails aren't registered (ratelimited, obviously) so that a user doesn't sit aimlessly for minutes if they enter one of two emails they might have used, for example.

I know some other services do this, with something like "You've requested a password reset, but we didn't find a user associated with this email address", etc.

framework/core/locale/core.yml Outdated Show resolved Hide resolved
@SychO9 @davwheat
chore(review): better response message wording
02da03b 
Co-authored-by: David Wheatley <hi@davwheat.dev>
@SychO9
Copy link
Member Author

SychO9 commented Aug 24, 2022

hmm 🤔 I don't know if we would want to send emails to non-registered users, but yeah would definitely require rate limiting which would need to be implemented separately as it would be a cache-based implementation possibly reusing the laravel one and allowing for easy re-usage.

@SychO9 SychO9 self-assigned this Aug 24, 2022
@davwheat
Copy link
Member

Yeah, fair point. We should be extra careful about spam to non-users.

@SychO9 SychO9 requested a review from davwheat September 2, 2022 20:45
askvortsov1
askvortsov1 requested changes Sep 6, 2022
View reviewed changes
framework/core/locale/core.yml Outdated Show resolved Hide resolved
framework/core/src/User/Command/RequestPasswordResetHandler.php Outdated Show resolved Hide resolved
@SychO9 @askvortsov1
chore(review): response message wording improvement
7ff028e 
Co-authored-by: Alexander Skvortsov <38059171+askvortsov1@users.noreply.github.com>
@SychO9 SychO9 requested a review from a team as a code owner September 6, 2022 18:14
@SychO9
chore: ditch the command bus layer
1fa2bdb 
Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
@SychO9 SychO9 added this to the 1.6 milestone Sep 6, 2022
@SychO9 SychO9 merged commit 84c3116 into main Sep 14, 2022
@SychO9 SychO9 deleted the sm/prevent-leaking-user-existence-in-password-reset branch September 14, 2022 14:57
@luceos luceos mentioned this pull request Nov 10, 2022
Closed
@imorland imorland mentioned this pull request Sep 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luceos luceos luceos approved these changes

@davwheat davwheat davwheat approved these changes

@askvortsov1 askvortsov1 askvortsov1 approved these changes

Assignees

@SychO9 SychO9

Labels
security
Projects
Roadmap
Status: completed
Milestone
1.6
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@SychO9 @davwheat @luceos @askvortsov1 @StyleCIBot