XWIKI-21571: Change default value of the reset password token lifetime (

#3012) Change the mechanism of the reset password token to not reset it at each verification code check, but only when the password is actually reset, and when its lifetime expired. Also provide a mandatory document initializer for the ResetPasswordRequest xclass. Change a bit more the logic: if the token lifetime configuration is set to 0 (which was the default) then we automatically remove the reset password request xobject at first wrong attempt (bad verification code): it will prevent any bruteforce attack. Then if there's a token lifetime configuration set, we don't remove the xobject when a bad attempt is performed: user might have used the wrong mail for example. But we do remove the xobject when it's expired. And if it's expired, or if the code was wrong, in both cases we immediately return an error. Move ResetPasswordIT and ForgotUserNameIT from administration-test-docker to a new module security-authentication-test-docker since it's related to security-authentication module now. --------- Co-authored-by: Manuel Leduc <manuel.leduc@xwiki.com> (cherry picked from commit b410dad)
xwiki · Mar 27, 2024 · b3010eb · b3010eb
1 parent 590c59d
commit b3010eb
Show file tree

Hide file tree

Showing 18 changed files with 584 additions and 291 deletions.
diff --git a/...tion/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/pom.xml b/...tion/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/pom.xml
@@ -86,16 +86,6 @@
       <version>${project.version}</version>
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>com.icegreen</groupId>
-      <artifactId>greenmail-junit5</artifactId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>com.sun.mail</groupId>
-      <artifactId>jakarta.mail</artifactId>
-      <scope>test</scope>
-    </dependency>
     <dependency>
       <groupId>org.xwiki.platform</groupId>
       <artifactId>xwiki-platform-flamingo-skin-test-pageobjects</artifactId>

diff --git a/...atform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/AllIT.java b/...atform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/AllIT.java
@@ -38,12 +38,6 @@ class NestedAdministrationIT extends AdministrationIT
     {
     }
 
-    @Nested
-    @DisplayName("Reset Password")
-    class NestedResetPasswordIT extends ResetPasswordIT
-    {
-    }
-
     @Nested
     @DisplayName("ConfigurableClass")
     class NestedConfigurableClassIT extends ConfigurableClassIT
@@ -56,12 +50,6 @@ class NestedUsersGroupsRightsManagementIT extends UsersGroupsRightsManagementIT
     {
     }
 
-    @Nested
-    @DisplayName("Forgot Username")
-    class NestedForgotUsernameIT extends ForgotUsernameIT
-    {
-    }
-
     @Nested
     @DisplayName("XAR Import")
     class NestedXARImportIT extends XARImportIT

diff --git a/...n/xwiki-platform-administration-ui/src/main/resources/XWiki/ResetPasswordRequestClass.xml b/...n/xwiki-platform-administration-ui/src/main/resources/XWiki/ResetPasswordRequestClass.xml
diff --git a/...i-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties b/...i-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties
@@ -2530,7 +2530,6 @@ xe.admin.passwordReset.step2.login=Please login to continue \u00BB
 xe.admin.passwordReset.step2.backToStep1=Back to the password reset page \u00BB
 xe.admin.passwordReset.step2.error.emptyPassword=The password cannot be empty.
 xe.admin.passwordReset.step2.error.verificationMismatch=The two passwords do not match.
-xe.admin.passwordReset.step2.error.wrongParameters=Wrong parameters! Another link was already sent or this one was already accessed!
 xe.admin.passwordReset.step2.error.noProgrammingRights=This page requires programming rights to work, which currently isn't the case. Please notify an administrator of this problem and try again later.
 xe.admin.passwordReset.step2.versionComment.passwordReset=Password was reset
 xe.admin.passwordReset.step2.versionComment.changeValidationKey=Refreshed password reset token
@@ -5652,6 +5651,11 @@ core.viewers.diff.previousVersion=Previous version
 core.viewers.diff.nextChange=Next change
 core.viewers.diff.previousChange=Previous change
 
+#######################################
+## until 16.3.0RC1
+#######################################
+xe.admin.passwordReset.step2.error.wrongParameters=Wrong parameters! Another link was already sent or this one was already accessed!
+
 ## Used to indicate where deprecated keys end
 #@deprecatedend
 

diff --git a/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/pom.xml b/xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/pom.xml
@@ -36,4 +36,12 @@
     <module>xwiki-platform-security-authentication-script</module>
     <module>xwiki-platform-security-authentication-ui</module>
   </modules>
+  <profiles>
+    <profile>
+      <id>integration-tests</id>
+      <modules>
+        <module>xwiki-platform-security-authentication-test</module>
+      </modules>
+    </profile>
+  </profiles>
 </project>