You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have searched through this plugin's documentation and on StackOverflow and haven't found anything providing this functionality.
A potential security issue I've noticed while using the application is that RegistrationCode tokens don't expire by default. The way I've had to force them to expire (I'm only using the forgotPassword workflow) is to override RegisterController.resetPassword. Then I can compare the current server time to the dateCreated attribute of RegistrationCode and, if the duration between is greater than 24 hours for instance, block the password reset attempt.
What would be preferable is if this were a simple configuration item for users of the plugin. I propose something like:
Where a default value of 0 would mean no expiration and would provide backward compatibility. The format for defining durations should be based on some common standard / library that's already in use by Grails but I'm personally not too picky.
I would like to see this implemented to make it easier to prevent cases where:
User requests a password reset, creating a never-expiring token.
User resets their password, never deletes the email, and goes about their business.
Some time later (months, years) User's email account is breached. Bad actor clicks on forgotPassword URL and resets User's password.
User is locked out of their account while Bad Actor has free access.
The text was updated successfully, but these errors were encountered:
I have searched through this plugin's documentation and on StackOverflow and haven't found anything providing this functionality.
A potential security issue I've noticed while using the application is that RegistrationCode tokens don't expire by default. The way I've had to force them to expire (I'm only using the forgotPassword workflow) is to override RegisterController.resetPassword. Then I can compare the current server time to the dateCreated attribute of RegistrationCode and, if the duration between is greater than 24 hours for instance, block the password reset attempt.
What would be preferable is if this were a simple configuration item for users of the plugin. I propose something like:
grails.plugin.springsecurity.ui.forgotPassword.expireAfter = 1dWhere a default value of
0would mean no expiration and would provide backward compatibility. The format for defining durations should be based on some common standard / library that's already in use by Grails but I'm personally not too picky.I would like to see this implemented to make it easier to prevent cases where:
The text was updated successfully, but these errors were encountered: