Roundup Tracker - Issues

Issue 2551155

classification
Make password reset one time key time limited
Type: security Severity: normal
Components: Versions:
process
Status: new
:
: : rouilj
Priority: normal : Effort-Low

Created on 2021-08-24 00:26 by rouilj, last changed 2021-08-24 00:31 by rouilj.

Messages
msg7330 Author: [hidden] (rouilj) Date: 2021-08-24 00:26
The password reset email that is sent includes a one time key (OTK) to
reset the password. This OTK doesn't look like it is time
limited. It should be unusable after some period of time set in
the config file. This prevents replay of old unused password reset
emails.

Add new option [main] password_reset_timeout_in_sec. Value is the
number of  seconds after which the password reset OTK is ignored.
Default 24 hours.

Note that time is truncated to nearest minute (we don't want to explain 
to user that lifetime is 1h12m3s).

Change roundup/cgi/actions.py: PassResetAction::handle() to check
__timestamp value for the one time key. If difference between
__timestamp and current time is greater than the timeout,
report that it has expired using add_error_message. If __timestamp
is not available store the time.time() value in the OTK when
creating it.

Update reset email text to include timeout info in hours/minutes.

Update new password email to include the tracker url and a
recommendation to log in and change the password.
msg7331 Author: [hidden] (rouilj) Date: 2021-08-24 00:31
See: 
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet
.html
History
Date User Action Args
2021-08-24 00:31:41rouiljsetmessages: + msg7331
2021-08-24 00:26:26rouiljcreate