Skip to content

[6.x] Harden password reset#14294

Merged
jasonvarga merged 7 commits into6.xfrom
encrypt-reset-url
Mar 18, 2026
Merged

[6.x] Harden password reset#14294
jasonvarga merged 7 commits into6.xfrom
encrypt-reset-url

Conversation

@jasonvarga
Copy link
Member

@jasonvarga jasonvarga commented Mar 18, 2026
edited
Loading

The reset url parameter of the forgot password endpoint was hardened already in #14008, #14023, #14016, #14287, but this PR goes a step further and prevents it from being manipulatable. Encryption is used now, so you can't just submit whatever you want.

The forgot_password_form tag will automatically encrypt the value which is decrypted on submission.

However, since this endpoint could be used via ajax in the case of a headless site, we can't expect people to use encryption. They wouldn't be able to on the front-end anyway. To preserve backwards compatibility, relative urls can still be provided unencrypted. When an unencrypted absolute URL is used, it "fails" silently and falls back to the built-in password reset URL.

In v7 when we can make a breaking change, we'll get rid of this entirely in favor of a config option.

@jasonvarga jasonvarga marked this pull request as ready for review March 18, 2026 20:14
@jasonvarga jasonvarga mentioned this pull request Mar 18, 2026
Merged
@jasonvarga jasonvarga merged commit 51cd022 into 6.x Mar 18, 2026
17 checks passed
@jasonvarga jasonvarga deleted the encrypt-reset-url branch March 18, 2026 21:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonvarga