Homec4science

Invalidate outstanding password reset links when users adjust email addresses

Authored by epriestley <git@epriestley.com> on Aug 4 2014, 21:04.

Description

Invalidate outstanding password reset links when users adjust email addresses

Summary:
Fixes T5506. Depends on D10133. When users remove an email address or change their primary email address, invalidate any outstanding password reset links.

This is a very small security risk, but the current behavior is somewhat surprising, and an attacker could sit on a reset link for up to 24 hours and then use it to re-compromise an account.

Test Plan:

  • Changed primary address and removed addreses.
  • Verified these actions invalidated outstanding one-time login temporary tokens.
  • Tried to use revoked reset links.
  • Revoked normally from new UI panel.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5506

Differential Revision: https://secure.phabricator.com/D10134

Details

Committed
epriestley <git@epriestley.com>Aug 4 2014, 21:04
Pushed
aubortJan 31 2017, 17:16
Parents
rPH30f6405a8654: Add an explicit temporary token management page to Settings
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHe56dc8f29986: Invalidate outstanding password reset links when users adjust email addresses (authored by epriestley <git@epriestley.com>).Aug 4 2014, 21:04