Feature Proposal: Improve security of password reset.
Motivation
There are a number of open tasks around Reset Password. It reveals information about the account being reset, and changes the password without confirmation.
Description and Documentation
Change the Password Reset function to generate a reset token and email it to the user requesting the reset.
- Very short lifetime reset token. Default 10 minutes. (May need to be longer for users who greylist.)
- If user ignores the email, then nothing is done, and the password is not reset.
- Token should allow access to only the Change Password page.
Addresses:
- Item10206: It's too easy to reset another user's password
- Item556: Allow password reset by entering email address.
- Item9420: Reset password should not be permitted for base mapper users.
- Item2071: Reset password gives away too much information
Examples
Impact
Implementation
I've not yet decided on an implementation. But I'm thinking that:
- The token will cause a login, but with an access restriction.
- Any other URL will force the user back to the change page.
- Once password is changed, the restriction will be removed.
- User will not have to re-login after changing the password.
The "Token Auth" will be implemented in
Foswiki::LoginManager::loadSession()
- cryptographic token stored in
working/tmp/tokenauth_xxxxxxxxx
using Storable
- Set AccessRestriction={webname.topicname} as a session variable.
Access check implemented in
Foswiki::UI::checkAccess()
. If the URL for the request doesn't match the AccessRestriction, redirect to the AccessRestriction topic.
$hash = {
'cUID' => 'JoeUser',
expires => time() + (configurable seconds)
'FOSWIKI_TOPICRESTRICTION' => 'System.ChangePassword',
};
This would accomplish a few things:
This may also be a good time to move UI::Password and UI::Manage functions for changing password and email, and the password reset function into a REST handler.
--
Contributors: GeorgeClark - 30 Sep 2017
Discussion
Need to remove the context => support. Since context doesn't persist, it doesn't make much sense.
--
GeorgeClark - 07 Oct 2017