Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Password reset tokens not invalidated #3270

Closed
3 of 4 tasks
AndrolGenhald opened this issue Jun 22, 2023 · 2 comments
Closed
3 of 4 tasks

[Bug]: Password reset tokens not invalidated #3270

AndrolGenhald opened this issue Jun 22, 2023 · 2 comments
Labels
area: auth bug Something isn't working

Comments

@AndrolGenhald
Copy link

Requirements

  • Is this a bug report? For questions or discussions use https://lemmy.ml/c/lemmy_support
  • Did you check to see if this issue already exists?
  • Is this only a single bug? Do not put multiple bugs in one issue.
  • Is this a UI / front end issue? Use the lemmy-ui repo.

Summary

Password reset tokens don't currently seem to be expired. They should expire after either first use or after a timeout (say 24h), whichever comes first.

Steps to Reproduce

  1. Click forgot password on an instance
  2. Use the link to reset your password and it logs you in immediately
  3. Log out and use the link a second time, it still works
  4. Log out and click forgot password again, but use the first link, it still works

Technical Details

Relevant code is here, here and here. The Crud update implementation for PasswordResetRequest updates an existing request with a new token instead of creating a new one, but it seems to be unused, and a new token is always created but never expired.

Version

0.17.4

Lemmy Instance URL

No response
@AndrolGenhald AndrolGenhald added the bug Something isn't working label Jun 22, 2023
@AndrolGenhald
Copy link
Author

Turns out they are invalidated after 24 hours, but I'm working on making them expire after being used or after a new token is generated.

AndrolGenhald added a commit to AndrolGenhald/lemmy that referenced this issue Jun 28, 2023
@AndrolGenhald
Expire password reset tokens when used (fixes LemmyNet#3270).
5694de3
AndrolGenhald added a commit to AndrolGenhald/lemmy that referenced this issue Jun 28, 2023
@AndrolGenhald
Expire password reset tokens when used (fixes LemmyNet#3270).
3750411
AndrolGenhald added a commit to AndrolGenhald/lemmy that referenced this issue Jun 30, 2023
@AndrolGenhald
Expire password reset tokens when used (fixes LemmyNet#3270).
ad18c03
@dessalines
Copy link
Member

Correct, they're invalidated after a day.

@dessalines dessalines closed this as not planned Won't fix, can't repro, duplicate, stale Oct 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: auth bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dessalines @AndrolGenhald @lionirdeadman