1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 10:22:42 +01:00
phorge-phorge/src/applications/auth
epriestley 6232e9676c Don't send reset links to unverified addresses on accounts with verified addresses
Summary:
Via HackerOne. If a user adds an email address and typos it, entering `alinculne@gmailo.com`, and it happens to be a valid address which an evil user controls, the evil user can request a password reset and compromise the account.

This strains the imagination, but we can implement a better behavior cheaply.

  - If an account has any verified addresses, only send to verified addresses.
  - If an account has no verified addresses (e.g., is a new account), send to any address.

We've also received several reports about reset links not being destroyed as aggressively as researchers expect. While there's no specific scenario where this does any harm, revoke all outstanding reset tokens when a reset link is used to improve the signal/noise ratio of the reporting channel.

Test Plan:
  - Tried to send a reset link to an unverified address on an account with a verified address (got new error).
  - Tried to send a reset link to a verified adddress on an account with a verified address (got email).
  - Tried to send a reset link to an invalid address (got old error).
  - Tried to send a reset link to an unverified address on an account with only unverified addresses -- a new user (got email).
  - Requested several reset links, used one, verified all the others were revoked.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D10206
2014-08-11 12:13:09 -07:00
..
action Rate limit multi-factor actions 2014-04-30 14:30:31 -07:00
application Add an explicit temporary token management page to Settings 2014-08-04 12:04:13 -07:00
constants Make password reset emails use one-time tokens 2014-05-22 10:41:00 -07:00
controller Don't send reset links to unverified addresses on accounts with verified addresses 2014-08-11 12:13:09 -07:00
data Add "High Security" mode to support multi-factor auth 2014-04-27 17:31:11 -07:00
editor can now tell phabricator you trust an auth provider's emails (useful for Google OAuth), which will mark emails as "verified" and will skip email verification. 2014-05-16 14:14:06 -07:00
engine Make the current session key a component of the CSRF token 2014-08-04 12:04:47 -07:00
exception Make two-factor auth actually work 2014-04-28 10:20:54 -07:00
factor Add "temporary tokens" to auth, for SMS codes, TOTP codes, reset codes, etc 2014-05-20 11:43:45 -07:00
garbagecollector Add "temporary tokens" to auth, for SMS codes, TOTP codes, reset codes, etc 2014-05-20 11:43:45 -07:00
management Fix broken references to auth adapters 2014-07-22 21:20:45 +10:00
phid Rename PHIDType classes 2014-07-24 08:05:46 +10:00
provider Add a CanCDN flag to uploaded files 2014-08-07 18:56:20 -07:00
query Rename PhabricatorApplication subclasses 2014-07-23 10:03:09 +10:00
storage Invalidate outstanding password reset links when users adjust email addresses 2014-08-04 12:04:23 -07:00
view Send old login code to the bottom of the sea 2013-06-19 01:33:27 -07:00