Roundup Tracker - Issues

Issue 2551155

Make password reset one time key time limit configurable
Type: security Severity: normal
Components: Versions:
Status: new
: : rouilj
Priority: normal : Effort-Low, StarterTicket

Created on 2021-08-24 00:26 by rouilj, last changed 2024-01-12 02:45 by rouilj.

msg7330 Author: [hidden] (rouilj) Date: 2021-08-24 00:26
The password reset email that is sent includes a one time key (OTK) to
reset the password. This OTK doesn't look like it is time
limited. It should be unusable after some period of time set in
the config file. This prevents replay of old unused password reset

Add new option [main] password_reset_timeout_in_sec. Value is the
number of  seconds after which the password reset OTK is ignored.
Default 24 hours.

Note that time is truncated to nearest minute (we don't want to explain 
to user that lifetime is 1h12m3s).

Change roundup/cgi/ PassResetAction::handle() to check
__timestamp value for the one time key. If difference between
__timestamp and current time is greater than the timeout,
report that it has expired using add_error_message. If __timestamp
is not available store the time.time() value in the OTK when
creating it.

Update reset email text to include timeout info in hours/minutes.

Update new password email to include the tracker url and a
recommendation to log in and change the password.
msg7331 Author: [hidden] (rouilj) Date: 2021-08-24 00:31
msg7615 Author: [hidden] (rouilj) Date: 2022-07-23 22:53
It is time limited. The __timestamp property is set to now and that means
it gets deleted in a week by the Client::clean_up method called during web page 

However being able to control that with a config setting would be good.
Date User Action Args
2024-01-12 02:45:41rouiljsettitle: Make password reset one time key time limited -> Make password reset one time key time limit configurable
2022-07-24 06:16:36rouiljsetkeywords: + StarterTicket
2022-07-23 22:53:41rouiljsetmessages: + msg7615
2021-08-24 00:31:41rouiljsetmessages: + msg7331
2021-08-24 00:26:26rouiljcreate