Differential D10134

Invalidate outstanding password reset links when users adjust email addresses
ClosedPublic
Actions

Authored by epriestley on Aug 3 2014, 6:03 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Thu, Jan 23, 2:55 PM

	Unknown Object (File)
	Thu, Jan 23, 2:55 PM

	Unknown Object (File)
	Thu, Jan 23, 2:55 PM

	Unknown Object (File)
	Thu, Jan 23, 2:55 PM

	Unknown Object (File)
	Fri, Jan 17, 2:01 AM

	Unknown Object (File)
	Dec 4 2024, 11:42 AM

	Unknown Object (File)
	Dec 4 2024, 2:33 AM

	Unknown Object (File)
	Dec 3 2024, 8:31 AM

Subscribers

Details

Reviewers

Maniphest Tasks

T5506: Allow users to explicitly manage temporary tokens

Commits

Restricted Diffusion Commit
rPe56dc8f29986: Invalidate outstanding password reset links when users adjust email addresses

Summary

Fixes T5506. Depends on D10133. When users remove an email address or change their primary email address, invalidate any outstanding password reset links.

This is a very small security risk, but the current behavior is somewhat surprising, and an attacker could sit on a reset link for up to 24 hours and then use it to re-compromise an account.

Test Plan

Changed primary address and removed addreses.
Verified these actions invalidated outstanding one-time login temporary tokens.
Tried to use revoked reset links.
Revoked normally from new UI panel.

Diff Detail

Repository

Branch

token2

Lint

Lint Passed

Unit

Tests Passed

Build Status

Buildable 2018
Build 2019: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

epriestley updated this revision to Diff 24373.Aug 3 2014, 6:03 PM

epriestley retitled this revision from to Invalidate outstanding password reset links when users adjust email addresses.

epriestley updated this object.

epriestley edited the test plan for this revision. (Show Details)

epriestley added a reviewer: btrahan.

epriestley added a task: T5506: Allow users to explicitly manage temporary tokens.

epriestley added a parent revision: D10133: Add an explicit temporary token management page to Settings.

Herald added a subscriber: epriestley. · View Herald TranscriptAug 3 2014, 6:03 PM

Harbormaster completed remote builds in B2018: Diff 24373.Aug 3 2014, 6:04 PM

btrahan accepted this revision.Aug 4 2014, 6:51 PM

btrahan edited edge metadata.

This revision is now accepted and ready to land.Aug 4 2014, 6:51 PM

Closed by commit rPe56dc8f29986 (authored by @epriestley).

Revision Contents
Changeset List

Path

Size

src/

applications/

auth/

controller/

PhabricatorAuthRevokeTokenController.php

2 lines

storage/

PhabricatorAuthTemporaryToken.php

24 lines

people/

editor/

PhabricatorUserEditor.php

20 lines

settings/

panel/

PhabricatorSettingsPanelEmailAddresses.php

24 lines

Diff 24373

src/applications/auth/controller/PhabricatorAuthRevokeTokenController.php

Loading...

src/applications/auth/storage/PhabricatorAuthTemporaryToken.php

Loading...

src/applications/people/editor/PhabricatorUserEditor.php

Loading...

src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php

Loading...