New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Yesod.Auth.Email: After verifying an email, the verification url still works as a login if the user does not set a password #1222
Comments
Agreed, this is a bug. Hopefully the fix should be simple: changing when On Thu, Apr 21, 2016 at 11:31 PM Bryan Richter notifications@github.com
|
Indeed, I do. Just wanted to track it here; maybe a snowdrift volunteer
|
We're looking at this now. The point was raised that this is really already something the user can already control. The definition of That means there's still a bug, of course: At the very least, One thing I can think of is changing the type of the methods in We could add a 'deleteVerifyKey' method to the typeclass. That wouldn't permit verification and deletion running in the same transaction, but maybe that's ok? At least it would be a compile-time check for deleting the key. I think I'm leaning towards putting big documentation warnings on |
Maybe depending on |
Oh, for some reason I did not think |
I take that back. I think the resolution for this needs to be "Big honkin warning signs". There is more than one way to invalidate a key than by deleting it. |
What am I missing here? Why is there any persistence required? It seems to me that the key should be some kind of signed token that identifies the account that will be created and the expiration time of the key. If either the account already exists or the expiration time has passed, the key cannot be re-used. I suppose that depending on the exact implementation, there could be a race condition where the user deletes the account immediately after creating it, before the expiration time of the key. Is that the whole problem you are worried about? If so - there are better ways of solving that than stateful key validity. |
The same method is used both for verifying accounts and for resetting passwords. All the token does is log a user in. Checking if the account exists wouldn't be enough to know if the token has already been used. The root of the problem is that the token can be used to log in a user multiple times, as long as it hasn't expired. That's the problem I express in the initial comment. :) It's not really a huge deal, since a lot still has to go wrong for something malicious to happen, but it's certainly funky. |
Tested by:
Result: I'm logged back in.
Expected result: I receive an error handler resulting from reusing the same verification key.
The text was updated successfully, but these errors were encountered: