Page MenuHomePhabricator

Add an explicit temporary token management page to Settings
ClosedPublic

Authored by epriestley on Aug 3 2014, 5:41 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Dec 12, 2:06 PM
Unknown Object (File)
Thu, Dec 12, 3:41 AM
Unknown Object (File)
Tue, Dec 10, 3:26 AM
Unknown Object (File)
Sat, Nov 30, 8:43 AM
Unknown Object (File)
Wed, Nov 27, 7:23 PM
Unknown Object (File)
Wed, Nov 20, 9:34 AM
Unknown Object (File)
Nov 16 2024, 4:13 AM
Unknown Object (File)
Nov 16 2024, 4:13 AM
Subscribers

Details

Summary

Ref T5506. This makes it easier to understand and manage temporary tokens.

Eventually this could be more user-friendly, since it's relatively difficult to understand what this screen means. My short-term goal is just to make the next change easier to implement and test.

The next diff will close a small security weakness: if you change your email address, password reset links which were sent to the old address are still valid. Although an attacker would need substantial access to exploit this (essentially, it would just make it easier for them to re-compromise an already compromised account), it's a bit surprising. In the next diff, email address changes will invalidate outstanding password reset links.

Test Plan
  • Viewed outstanding tokens.
  • Added tokens to the list by making "Forgot your password?" requests.
  • Revoked tokens individually.
  • Revoked all tokens.
  • Tried to use a revoked token.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley retitled this revision from to Add an explicit temporary token management page to Settings.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.

Here's what this looks like, specifically:

Screen_Shot_2014-08-03_at_10.58.40_AM.png (1×1 px, 192 KB)

btrahan edited edge metadata.
This revision is now accepted and ready to land.Aug 4 2014, 6:51 PM
epriestley updated this revision to Diff 24402.

Closed by commit rP30f6405a8654 (authored by @epriestley).