Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Forgot password" procedure is broken #178

Closed
adrienjoly opened this issue Oct 27, 2018 · 5 comments
Closed

"Forgot password" procedure is broken #178

adrienjoly opened this issue Oct 27, 2018 · 5 comments
Assignees
@adrienjoly
Labels
bug

Comments

@adrienjoly
Copy link
Member

When an Openwhyd user forgets their password, they can normally pick a new one by following this procedure:

  • from https://openwhyd.org/login, click on the "?" button => it goes to https://openwhyd.org/password
  • from that page, they enter their email address
  • if this email address matches an existing openwhyd account, an email is sent to that address
  • the user click the URL included in that email => it leads to a https://openwhyd.org/password?uid=XXX&resetCode=YYY page that allows the user to set a new password
  • the user can login with their new password

Apparently, the email is not sent anymore.
@adrienjoly adrienjoly added the bug label Oct 27, 2018
@adrienjoly
Copy link
Member Author

I see that there were ~10k emails sent from our shared SendGrid account, on 11/10/2018:

image

=> Hypothesis: this spike may have caused our SendGrid account to go overquota, and/or our outgoing email requests to be throttled / rate limited.

@adrienjoly
Copy link
Member Author

Indeed, I found many occurrences of the email response: {"errors":["Maximum credits exceeded"],"message":"error"} error coming from SendGrid, in our production logs.

@adrienjoly
Copy link
Member Author

Analytics have been stable during that day:

image

@adrienjoly
Copy link
Member Author

adrienjoly commented Oct 27, 2018
edited
Loading

Starting on Thu, 11 Oct 2018 02:48:42 GMT, 11127 invites have been sent by a user (uId = 5bbeb9a0bedd3509a3da2ea2) to @qq.com email addresses.

=> Let's shut down the email invite system to prevent this situation from happening again.

adrienjoly added a commit that referenced this issue Oct 27, 2018
@adrienjoly
disable email invites, closes #178.
324e087
@adrienjoly adrienjoly mentioned this issue Oct 27, 2018
Merged
@adrienjoly adrienjoly self-assigned this Oct 27, 2018
adrienjoly added a commit that referenced this issue Oct 27, 2018
@adrienjoly
fix(security): disable email invites (#180)
26effca 
The email invite system has been abused between October 10th and 11th, causing our SendGrid account to go over-quota, which caused the email reset procedure emails (see #178) and others to not be sent after that incident.
@adrienjoly
Copy link
Member Author

The situation will hopefully not happen again, when the PR is deployed in production => closing.

adrienjoly pushed a commit that referenced this issue Oct 27, 2018
@semantic-release-bot
chore(release): 1.4.4 [skip ci]
0867241 
## [1.4.4](v1.4.3...v1.4.4) (2018-10-27)

### Bug Fixes

* **security:** disable email invites ([#180](#180)) ([26effca](26effca)), closes [#178](#178)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adrienjoly adrienjoly

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adrienjoly