Page MenuHomePhabricator

Remove one-time login from username change email
ClosedPublic

Authored by epriestley on Tue, Feb 5, 7:01 PM.

Details

Summary

Depends on D20100. Ref T7732. Ref T13244. This is a bit of an adventure.

Long ago, passwords were digested with usernames as part of the salt. This was a mistake: it meant that your password becomes invalid if your username is changed.

(I think very very long ago, some other hashing may also have used usernames -- perhaps session hashing or CSRF hashing?)

To work around this, the "username change" email included a one-time login link and some language about resetting your password.

This flaw was fixed when passwords were moved to shared infrastructure (they're now salted more cleanly on a per-digest basis), and since D18908 (about a year ago) we've transparently upgraded password digests on use.

Although it's still technically possible that a username change could invalidate your password, it requires:

  • You set the password on a version of Phabricator earlier than ~2018 Week 5 (about a year ago).
  • You haven't logged into a version of Phabricator newer than that using your password since then.
  • Your username is changed.

This probably affects more than zero users, but I suspect not many more than zero. These users can always use "Forgot password?" to recover account access.

Since the value of this is almost certainly very near zero now and declining over time, just get rid of it. Also move the actual mail out of PhabricatorUser, ala the similar recent change to welcome mail in D19989.

Test Plan

Changed a user's username, reviewed resulting mail with bin/mail show-outbound.

Diff Detail

Repository
rP Phabricator
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Tue, Feb 5, 7:01 PM
epriestley requested review of this revision.Tue, Feb 5, 7:02 PM
amckinley accepted this revision.Tue, Feb 5, 10:28 PM
This revision is now accepted and ready to land.Tue, Feb 5, 10:28 PM

Long ago, passwords were digested with usernames as part of the salt.

butwhy

This revision was automatically updated to reflect the committed changes.