Snippets Groups Projects

Unverified Commit b410dad4 authored 1 year ago by Simon Urli Committed by GitHub 1 year ago

XWIKI-21571: Change default value of the reset password token lifetime (#3012)


Change the mechanism of the reset password token to not reset it at each
verification code check, but only when the password is actually reset,
and when its lifetime expired.
Also provide a mandatory document initializer for the
ResetPasswordRequest xclass.

Change a bit more the logic: if the token lifetime configuration is set
to 0 (which was the default) then we automatically remove the reset
password request xobject at first wrong attempt (bad verification code):
it will prevent any bruteforce attack. Then if there's a token lifetime
configuration set, we don't remove the xobject when a bad attempt is
performed: user might have used the wrong mail for example. But we do
remove the xobject when it's expired. And if it's expired, or if the
code was wrong, in both cases we immediately return an error.

Move ResetPasswordIT and ForgotUserNameIT from
administration-test-docker to a new module
security-authentication-test-docker since it's related to
security-authentication module now.

---------

Co-authored-by: Manuel Leduc <manuel.leduc@xwiki.com>

parent 1783fd9e

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 584 additions and 291 deletions

Simon Urli @surli
mentioned in commit 9a88bd6e
· 1 year ago

mentioned in commit 9a88bd6e

mentioned in commit 9a88bd6e23cfef85c776fe50111475600707c035

Toggle commit list

Please register or to comment