bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Expire reset tokens every 12 hours

RESOLVED FIXED in 1.3

Status

Cloud Services
Server: Sync
RESOLVED FIXED
9 years ago
8 years ago

People

(Reporter: telliott, Assigned: telliott)

Tracking

unspecified
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [AA-AT-04-A])

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
Security review produced a ton of recommendations on the password reset flow. Honestly, most of them seem odd, such as disabling login on password reset. In discussion with clyon, though we decided it would be a good idea to expire password reset codes after 12 hours.

Two possible approaches to this:

1) We can have a cron sweep the db every 12 hours and purge expired ones. This will not work for external users, but is quick and easy.

2) We can add an expiry date. That would be better, but require an extra column in the schema, so we'd be bumping revision.

I think we'll do 1 for now and put 2 on the roadmap.

Comment 1

9 years ago
This one was a bit odd but from a standpoint of an internal application with a traditional help desk it makes some sense. I think the resetting of the tokens is a valid approach, everything else is overkill.
(Assignee)

Updated

9 years ago
Target Milestone: --- → 2.0

Updated

8 years ago
Flags: blocking-weave1.2?
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: 2.0 → 1.2

Updated

8 years ago
Flags: blocking-weave1.2? → blocking-weave1.3?
Target Milestone: 1.2 → 1.3
(Assignee)

Comment 2

8 years ago
Created attachment 440622 [details] [diff] [review]
adds a 6-hour window to the password reset key.

Went with 6 hours rather than 12, as that should be plenty.
Attachment #440622 - Flags: review?(lorchard)
Comment on attachment 440622 [details] [diff] [review]
adds a 6-hour window to the password reset key.

Looks good.  Only thing I'd say is to set up a cronjob at some point to sweep up the expired reset codes.  But, since the code here checks expirations, it doesn't seem urgent.
Attachment #440622 - Flags: review?(lorchard) → review+
(Assignee)

Comment 4

8 years ago
Fixed in http://hg.mozilla.org/labs/weaveserver-registration/rev/e5f79d9d44d8
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Not sure if this is a problem with just the MySQL I have installed, but:

The INTERVAL 6 HOURS bit in mozilla.php driver causes a SQL error.  Looks like it should just be "6 HOUR".  Missed it the first time through, because I just tried the mysql.php auth driver
(Assignee)

Comment 6

8 years ago
Oh, grr. Got it right in the mysql version, then typoed it in the mozilla one.

Updated in http://hg.mozilla.org/labs/weaveserver-registration/file/5c736eedb198

Updated

8 years ago
Flags: blocking-weave1.3?
You need to log in before you can comment on or make changes to this bug.