Fix bug regarding token deletions upon successful password resets #5724
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In the default authentication system created by the `mix phx.gen.auth`, when a password has been successfully reset, it deletes all of the tokens regardless of their context, however, this is problematic in the following scenario: - A user has been registered, which creates a token with the `confirm` context and account confirmation instructions delivered via email. - The user has not clicked on the confirmation email message yet. - The user requests password reset instructions and gets them via email. - The user successfully follows the password reset instructions. - The user tries to click on the confirmation email, but it is no longer valid. By scoping the deletion to only `reset_password` tokens, the bug is gone and the confirm token will still be valid regardless of the abovementioned process.
roberto-aguilar
force-pushed
the
hotfix/user-reset-password-tokens
branch
from
7ba3de5
to
6bb80a9
Compare
|
Resetting the password should typically invalidate all other sessions, requests to change emails, etc. It doesn't need to reset the confirmation token indeed, but almost everything else is a must. |
@josevalim, this sounds reasonable for me as well. I've added necessary changes to keep confirmation token on this case. There is also other case (email change) that I think should be improved from security point of view. Some corrections. And optional idea described to consider as well. Could you please review it? Thank you in advance. 🙇🏼 #5951 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the default authentication system created by the
mix phx.gen.auth, when a password has been successfully reset, it deletes all of the tokens regardless of their context, however, this is problematic in the following scenario:confirmcontext and account confirmation instructions delivered via email.By scoping the deletion to only
reset_passwordtokens, the bug is gone and theconfirmtoken will still be valid regardless of the abovementioned process.