Open
Description
New Issue Checklist
- Report security issues confidentially.
- Any contribution is under this license.
- Before posting search existing issues.
Issue Description
If maxPasswordHistory is set to a value != 0, the token request does not work as expected. It appears to be incorrectly interpreted as a password change request, as a result no token is created.
Steps to reproduce
To reproduce the issue you have to set maxPasswordHistory in index.js to a value != 0:
maxPasswordHistory: 5Then you need to request a token for a user with MFA enabled:
POST {{url}}/login
Content-Type: application/json
Cache-Control: no-cache
X-Parse-REST-API-Key: {{rest_api_key}}
X-Parse-Application-Id: {{application_id}}
{
"username": "tester",
"password": "*********",
"authData": {
"mfa": {
"mobile": "+11111111111",
"token": "request"
}
}
}This is the response:
{
"code": 142,
"error": "New password should not be the same as last 5 passwords."
}If you remove maxPasswordHistory the token is sent as expected.
Actual Outcome
sendSMS callback is not called and this is the current result if maxPasswordHistory is != 0:
{
"code": 142,
"error": "New password should not be the same as last 5 passwords."
}Expected Outcome
sendSMS callback returns the token and this is the expected response to the token request:
{
"code": 141,
"error": "Please enter the token"
}Environment
Node: 18.20.5
Server
- Parse Server version:
7.4.0 - Operating system:
Ubuntu 20.04 - Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc):
Digital Ocean
Database
- System (MongoDB or Postgres):
MongoDB - Database version:
6 - Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc):
Digital Ocean