Feature userdb password restserver
In order to do this, I had to expose these new routes in RESTServer:
# - Authentication management (if restAuthServer is on) # * POST /auth/getUser : get user attributes # * POST /auth/pwdReset : reset password # * POST /auth/pwdConfirm : confirm password
These routes are protected by Apache, like every other sensitive RESTServer.pm feature, see e77f85db
However, we don't offer the level of protection that we have in the session rest server, where every session write has to be authenticated by some sort of signature (encrypted timestamp). That's because the API of Auth::REST, UserDB::REST and Password::REST does not specify this possibility.
In the current state, turning the new config option
restAuthServer to On may expose admins to critical security issues (password change of any user without a confirmation) if bugs such as #1943 (closed) or #1933 (closed) appear again in the future.