Closed Bug 1049004 Opened 10 years ago Closed 10 years ago

[spartacus] trigger provider logout after PIN reset

Categories

(Marketplace Graveyard :: Payments/Refunds, defect, P3)

Product:
Marketplace Graveyard
Component:
Payments/Refunds
Version:
Avenir
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
2014-12-02

People

(Reporter: kumar, Assigned: scolville)

References

Details

Just to be paranoid, it would be a good defense-in-depth measure to always log the user out of Bango (and other providers) after a PIN reset. This means that if our PIN reset flow was ever compromised (see bug 1048976!) then at least the attacker wouldn't gain access to saved credit cards so easily. 

Logging the user out of Bango like this shouldn't pose too much of a usability problem since the user had already gone through a PIN reset anyway. They are already in the sad path of re-entering credentials.

FYI, the reset PIN flow was affected by bug 1042381
Blocks: 837289
Priority: -- → P3
Assignee: nobody → scolville
Status: NEW → ASSIGNED
Is this required? We can't be adding more to single page app at this stage.
Status: ASSIGNED → NEW
Following our vidyo conversation this can be looked at post-release.
https://github.com/mozilla/spartacus/commit/b390d0951e5594a8ebfe1d46baab04233aafb8d2
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2014-12-02
You need to log in before you can comment on or make changes to this bug.