epriestley e56dc8f299 Invalidate outstanding password reset links when users adjust email addresses ... Summary: Fixes T5506. Depends on D10133. When users remove an email address or change their primary email address, invalidate any outstanding password reset links. This is a very small security risk, but the current behavior is somewhat surprising, and an attacker could sit on a reset link for up to 24 hours and then use it to re-compromise an account. Test Plan: - Changed primary address and removed addreses. - Verified these actions invalidated outstanding one-time login temporary tokens. - Tried to use revoked reset links. - Revoked normally from new UI panel. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T5506 Differential Revision: https://secure.phabricator.com/D10134		2014-08-04 12:04:23 -07:00
..
PhabricatorAuthDAO.php	Add storage for Auth configuration in preparation for moving it into a web interface	2013-06-17 10:48:41 -07:00
PhabricatorAuthFactorConfig.php	Rename PHIDType classes	2014-07-24 08:05:46 +10:00
PhabricatorAuthProviderConfig.php	can now tell phabricator you trust an auth provider's emails (useful for Google OAuth), which will mark emails as "verified" and will skip email verification.	2014-05-16 14:14:06 -07:00
PhabricatorAuthProviderConfigTransaction.php	Change double quotes to single quotes.	2014-06-09 11:36:50 -07:00
PhabricatorAuthSession.php	Minor cleanup of some session code	2014-05-01 10:23:19 -07:00
PhabricatorAuthTemporaryToken.php	Invalidate outstanding password reset links when users adjust email addresses	2014-08-04 12:04:23 -07:00