1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-19 03:50:54 +01:00
phorge-phorge/resources
epriestley ab7d89edc8 Use better secrets in generating account tokens
Summary:
When we generate account tokens for CSRF keys and email verification, one of the inputs we use is the user's password hash. Users won't always have a password hash, so this is a weak input to key generation. This also couples CSRF weirdly with auth concerns.

Instead, give users a dedicated secret for use in token generation which is used only for this purpose.

Test Plan:
  - Ran upgrade scripts.
  - Verified all users got new secrets.
  - Created a new user.
  - Verified they got a secret.
  - Submitted CSRF'd forms, they worked.
  - Adjusted the CSRF token and submitted CSRF'd forms, verified they don't work.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8748
2014-04-10 11:45:10 -07:00
..
builtin Add an icon+background selector for project images 2013-10-17 09:32:34 -07:00
celerity Better mobile display of ObjectItemView 2014-04-10 11:23:38 -07:00
chatbot Improve some documentation/examples for bot stuff 2013-02-14 12:47:39 -08:00
font Made Meme Generator 2013-01-19 18:43:43 -08:00
sprite Mail icon for email lists in typeahead 2014-02-17 10:06:16 -08:00
sql Use better secrets in generating account tokens 2014-04-10 11:45:10 -07:00
sshd Update repository hosting documentation for all the issues users have hit 2014-03-26 06:44:18 -07:00