Roundup Tracker - Issues

Issue 2551157

classification
Change password reset not send password via email
Type: security Severity: normal
Components: Versions:
process
Status: new
:
: : rouilj
Priority: : Effort-Medium

Created on 2021-08-24 01:02 by rouilj, last changed 2021-08-29 01:09 by rouilj.

Messages
msg7333 Author: [hidden] (rouilj) Date: 2021-08-24 01:02
On a password reset, we send the new password to the user via email.

https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet
.html

recommends making the unique URL display a page that lets the user reset
the password.

See if we can implement this.
msg7334 Author: [hidden] (rouilj) Date: 2021-08-24 04:37
Thoughts:

If config option online_password_recovery (or somesuch) is set, have
roundup/cgi/actions.py:PassResetAction::handle() destroy the OTK.

Generate/save a new OTK (1) with a short lifetime (10 minutes??) to be
used as an authenticator for the user.

Then raise a redirect to the user.pwreset.html template with a new
OTK.

The pwreset template replicates only the password fields from the
user.item.html template. It submits to the pwreset action.

Create a new action: ResetPassword that expects the OTK and passwords.
Sets the password of the user in the OTK if both passwords are the
same. Destroys the OTK.

If passwords aren't the same, redirect to the pwreset template
reporting password mismatch. Not sure if this needs a new OTK or can
reuse OTK (1).  Need to limit this cycle. Consider regenerating OTK
with counter. So OTK (2) has a counter=2 and limit to 3 or 5
attempts. Then user needs to go back to generating email with OTK.
History
Date User Action Args
2021-08-29 01:09:41rouiljsettitle: Change password reset to not send password via email -> Change password reset not send password via email
2021-08-24 04:37:23rouiljsetkeywords: + Effort-Medium
messages: + msg7334
2021-08-24 01:02:54rouiljcreate