HomePhabricator

Invalidate outstanding password reset links when users adjust email addresses

Description

Invalidate outstanding password reset links when users adjust email addresses

Summary:
Fixes T5506. Depends on D10133. When users remove an email address or change their primary email address, invalidate any outstanding password reset links.

This is a very small security risk, but the current behavior is somewhat surprising, and an attacker could sit on a reset link for up to 24 hours and then use it to re-compromise an account.

Test Plan:

  • Changed primary address and removed addreses.
  • Verified these actions invalidated outstanding one-time login temporary tokens.
  • Tried to use revoked reset links.
  • Revoked normally from new UI panel.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5506

Differential Revision: https://secure.phabricator.com/D10134

Details

Provenance
epriestleyAuthored on
epriestleyPushed on Aug 4 2014, 7:04 PM
Reviewer
btrahan
Differential Revision
D10134: Invalidate outstanding password reset links when users adjust email addresses
Parents
rP30f6405a8654: Add an explicit temporary token management page to Settings
Branches
Unknown
Tags
Unknown

Event Timeline