Diffusion Phabricator e56dc8f29986

Invalidate outstanding password reset links when users adjust email addresses
e56dc8f29986
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

Invalidate outstanding password reset links when users adjust email addresses

Summary:
Fixes T5506. Depends on D10133. When users remove an email address or change their primary email address, invalidate any outstanding password reset links.

This is a very small security risk, but the current behavior is somewhat surprising, and an attacker could sit on a reset link for up to 24 hours and then use it to re-compromise an account.

Test Plan:

Changed primary address and removed addreses.
Verified these actions invalidated outstanding one-time login temporary tokens.
Tried to use revoked reset links.
Revoked normally from new UI panel.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5506

Differential Revision: https://secure.phabricator.com/D10134

Details

Provenance

epriestley	Authored on
epriestley	Pushed on Aug 4 2014, 7:04 PM

Reviewer

Differential Revision

D10134: Invalidate outstanding password reset links when users adjust email addresses

Parents

rP30f6405a8654: Add an explicit temporary token management page to Settings

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (4)

Path

Size

src/

applications/

auth/

controller/

PhabricatorAuthRevokeTokenController.php

storage/

PhabricatorAuthTemporaryToken.php

people/

editor/

PhabricatorUserEditor.php

settings/

panel/

PhabricatorSettingsPanelEmailAddresses.php

rPe56dc8f29986

src/applications/auth/controller/PhabricatorAuthRevokeTokenController.php

Loading...

src/applications/auth/storage/PhabricatorAuthTemporaryToken.php

Loading...

src/applications/people/editor/PhabricatorUserEditor.php

Loading...

src/applications/settings/panel/PhabricatorSettingsPanelEmailAddresses.php

Loading...