-
Simon Urli authored
Change the mechanism of the reset password token to not reset it at each verification code check, but only when the password is actually reset, and when its lifetime expired. Also provide a mandatory document initializer for the ResetPasswordRequest xclass. Change a bit more the logic: if the token lifetime configuration is set to 0 (which was the default) then we automatically remove the reset password request xobject at first wrong attempt (bad verification code): it will prevent any bruteforce attack. Then if there's a token lifetime configuration set, we don't remove the xobject when a bad attempt is performed: user might have used the wrong mail for example. But we do remove the xobject when it's expired. And if it's expired, or if the code was wrong, in both cases we immediately return an error. Move ResetPasswordIT and ForgotUserNameIT from administration-test-docker to a new module security-authentication-test-docker since it's related to security-authentication module now. --------- Co-authored-by:Manuel Leduc <manuel.leduc@xwiki.com>
Simon Urli authoredChange the mechanism of the reset password token to not reset it at each verification code check, but only when the password is actually reset, and when its lifetime expired. Also provide a mandatory document initializer for the ResetPasswordRequest xclass. Change a bit more the logic: if the token lifetime configuration is set to 0 (which was the default) then we automatically remove the reset password request xobject at first wrong attempt (bad verification code): it will prevent any bruteforce attack. Then if there's a token lifetime configuration set, we don't remove the xobject when a bad attempt is performed: user might have used the wrong mail for example. But we do remove the xobject when it's expired. And if it's expired, or if the code was wrong, in both cases we immediately return an error. Move ResetPasswordIT and ForgotUserNameIT from administration-test-docker to a new module security-authentication-test-docker since it's related to security-authentication module now. --------- Co-authored-by:
