Closed Bug 547808 Opened 11 years ago Closed 11 years ago

Expire reset tokens every 12 hours

Categories

(Cloud Services :: Server: Sync, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: telliott, Assigned: telliott)

Details

(Whiteboard: [AA-AT-04-A])

Attachments

(1 file)

Security review produced a ton of recommendations on the password reset flow. Honestly, most of them seem odd, such as disabling login on password reset. In discussion with clyon, though we decided it would be a good idea to expire password reset codes after 12 hours.

Two possible approaches to this:

1) We can have a cron sweep the db every 12 hours and purge expired ones. This will not work for external users, but is quick and easy.

2) We can add an expiry date. That would be better, but require an extra column in the schema, so we'd be bumping revision.

I think we'll do 1 for now and put 2 on the roadmap.
This one was a bit odd but from a standpoint of an internal application with a traditional help desk it makes some sense. I think the resetting of the tokens is a valid approach, everything else is overkill.
Target Milestone: --- → 2.0
Flags: blocking-weave1.2?
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: 2.0 → 1.2
Flags: blocking-weave1.2? → blocking-weave1.3?
Target Milestone: 1.2 → 1.3
Went with 6 hours rather than 12, as that should be plenty.
Attachment #440622 - Flags: review?(lorchard)
Comment on attachment 440622 [details] [diff] [review]
adds a 6-hour window to the password reset key.

Looks good.  Only thing I'd say is to set up a cronjob at some point to sweep up the expired reset codes.  But, since the code here checks expirations, it doesn't seem urgent.
Attachment #440622 - Flags: review?(lorchard) → review+
Fixed in http://hg.mozilla.org/labs/weaveserver-registration/rev/e5f79d9d44d8
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Not sure if this is a problem with just the MySQL I have installed, but:

The INTERVAL 6 HOURS bit in mozilla.php driver causes a SQL error.  Looks like it should just be "6 HOUR".  Missed it the first time through, because I just tried the mysql.php auth driver
Oh, grr. Got it right in the mysql version, then typoed it in the mozilla one.

Updated in http://hg.mozilla.org/labs/weaveserver-registration/file/5c736eedb198
Flags: blocking-weave1.3?
You need to log in before you can comment on or make changes to this bug.