[FEATURE] Use rsa encryption on the "forgot password" page

[yol]

Encrypting passwords with RSA before transmission greatly increases security over plain HTTP connections as passwords cannot be passively intercepted then. The login form already uses the rsaauth extension by calling the hooks made for felogin.
But if the user initiates a password reset, he can specify a new password on a different page. The password field on that page is not encrypted at all. It would be nice if RSA encryption could be used there, too.

[mbrodala]

I totally agree that this would make sense but this won't be easy to fix since the whole encryption logic of rsaauth is tailored for the default TYPO3 login process and not generally re-usable.

This will need to be fixed in TYPO3 first, thus closing this for now. Please watch the upstream issue and leave a comment there.

[yol]

I've created a new issue at https://forge.typo3.org/issues/67932 because I think a more general solution would be preferable.

[mbrodala]

Thanks a lot for that, a change is already pending. :-)

If this is fixed, we can add RSA encryption as early as TYPO3 7.4 is released.

Reopening this issue as a reminder.

[yol]

Yep that was really quick, seems like someone was already working on that. Rewritten FE login support is still missing but it looks very promising so far.

[mbrodala]

The change was merged now, thus we may be able to add this for TYPO3 7.4.

[mbrodala]

Here is an example of the new RSAAuth API.

[mbrodala]

@pkerling I have just added this feature and it is waiting to be merged. Can you confirm it to be working as expected? Notice that you need TYPO3 7.4 to test it.

[yol]

That's a big works for me. Won't be able to use it for now (all customers are on 6.2), but very nice to see it implemented this quickly. Thanks!

[mbrodala]

Alright, thanks for testing, I'll merge it. And yes, I'd also like to ship this for 6.2 but copying it from 7.4 and keeping it in sync is not really an option. ;-)