Commits on Mar 27, 2024

1. XWIKI-21571: Change default value of the reset password token lifetime ( …

   #3012)
   
   Change the mechanism of the reset password token to not reset it at each
   verification code check, but only when the password is actually reset,
   and when its lifetime expired.
   Also provide a mandatory document initializer for the
   ResetPasswordRequest xclass.
   
   Change a bit more the logic: if the token lifetime configuration is set
   to 0 (which was the default) then we automatically remove the reset
   password request xobject at first wrong attempt (bad verification code):
   it will prevent any bruteforce attack. Then if there's a token lifetime
   configuration set, we don't remove the xobject when a bad attempt is
   performed: user might have used the wrong mail for example. But we do
   remove the xobject when it's expired. And if it's expired, or if the
   code was wrong, in both cases we immediately return an error.
   
   Move ResetPasswordIT and ForgotUserNameIT from
   administration-test-docker to a new module
   security-authentication-test-docker since it's related to
   security-authentication module now.
   
   ---------
   
   Co-authored-by: Manuel Leduc <manuel.leduc@xwiki.com>
   (cherry picked from commit b410dad)

   

   surli committed Mar 27, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 2d63969
   • Browse repository at this point

   Copy the full SHA

   2d63969 View commit details

   Browse the repository at this point in the history