-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email Verification #957
Labels
Comments
Schätzung (4h):
|
Email anpassen (1h) |
3 tasks
7 tasks
max. 5h investieren |
This was referenced Jan 10, 2022
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
max. 5h investieren
wenn möglich durch Carlo, da er sich bereits im Detail damit auseinander gesetzt hat.
Since hitobito can now act as an OAuth 2.0 / OpenID Connect Identity Provider, we should start validating the primary email when it is changed. Otherwise, a malicious user could temporarily change his email to one he doesn't own and impersonate someone else in external services.
While OAuth technically isn't really meant for authentification (but only authorization), it is very common for OAuth client applications to rely on the validity of the email address, since it is the primary exposed identifier of other OAuth services such as the ones from Google and Facebook.
While we are at it, we can also check the spelling of the email address when it is entered, e.g. using a gem.Email spelling validation was implemented in the meantime in #932Tech-Spec
devise :confirmable
aufPerson
hinzufügenrails generate devise:views people
generiert werden könnenVerifizierung nach Passwort-Reset?
Nach dem Passwort-Reset die E-Mail zu bestätigen wurde in heartcombo/devise@052cbef aus devise entfernt, da es potenziell ein Sicherheitsrisiko ist. Aber wenn wir sicherstellen dass nur die Mailadresse bestätigt wird welche den Passwort-Reset bekommen hat, sollte es okay sei, da die beschriebenen Angriffe darauf basieren, die Mailadresse nach dem Senden des Passwort-Reset-Mails zu ändern.
The text was updated successfully, but these errors were encountered: