Homec4science

Add an explicit temporary token management page to Settings

Authored by epriestley <git@epriestley.com> on Aug 4 2014, 21:04.

Description

Add an explicit temporary token management page to Settings

Summary:
Ref T5506. This makes it easier to understand and manage temporary tokens.

Eventually this could be more user-friendly, since it's relatively difficult to understand what this screen means. My short-term goal is just to make the next change easier to implement and test.

The next diff will close a small security weakness: if you change your email address, password reset links which were sent to the old address are still valid. Although an attacker would need substantial access to exploit this (essentially, it would just make it easier for them to re-compromise an already compromised account), it's a bit surprising. In the next diff, email address changes will invalidate outstanding password reset links.

Test Plan:

  • Viewed outstanding tokens.
  • Added tokens to the list by making "Forgot your password?" requests.
  • Revoked tokens individually.
  • Revoked all tokens.
  • Tried to use a revoked token.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5506

Differential Revision: https://secure.phabricator.com/D10133

Details

Committed
epriestley <git@epriestley.com>Aug 4 2014, 21:04
Pushed
aubortJan 31 2017, 17:16
Parents
rPHe8d272b0dad1: Use standard infrastructure to attach commits to other objects
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH30f6405a8654: Add an explicit temporary token management page to Settings (authored by epriestley <git@epriestley.com>).Aug 4 2014, 21:04