Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keep email confirmation token on password update. #5951

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Keep email confirmation token on password update. #5951

wants to merge 4 commits into from

Conversation

ShPakvel
Copy link
Contributor

@ShPakvel ShPakvel commented Oct 11, 2024
edited
Loading

  • Keep email confirmation token during password update.

When user decides to change password, mail can still be waiting confirmation.

Reason why user changes password is not important and
does not lead to any security issue related to email confirmation.
Logic is the same for update and reset of password.

  • Add missing required attribute to password confirmation.

@ShPakvel
Fix security issue on update_user_email.
60d090f 
During `update_user_email` we have to clean up not only chagne email token,
but also all tokens that were send to email previously.
Such as "confirm" and "reset_password" tokens.
This is because they were sent to previous email,
which potentially can be compromised at this point,
as it can be one of reasons to chagne email initially.
@ShPakvel
Keep confirmation token during password update.
430cd21 
When user decides to change password, mail can still be waiting confirmation.

Reason why user changes password is not important and
does not lead to any security issue related to email confirmation.
So related part of logic is the same for update and reset of password.
@ShPakvel ShPakvel changed the title Fix security issue on update_user_email. Fix security issue on update_user_email and correct token removal on password update. Oct 12, 2024
@ShPakvel ShPakvel mentioned this pull request Oct 12, 2024
Open
@josevalim
Copy link
Member

Thank you for the PR. Just one tiny correction:

Fix security issue on email update.

I don't believe there is a security issue here because, when we reset and confirm password, we validate that user email matches the token email.

This PR should be exclusively about improving the user experience by not deleting confirmation tokens. All other aspects are protected today.

@josevalim
Copy link
Member

To be clear, I believe the PR should only change this line: https://github.com/phoenixframework/phoenix/pull/5951/files#diff-501abec1a66c387cce697c48f3c433e58c4fecd77bcd39765d0f3f982d96c39cL202

And update one of the existing tests. :)

@ShPakvel
Revert removal of previous email tokens during email update.
8e10b6f 
Previous email tokens are treated as invalid. Protected by email comparison in `verify_email_token_query`.
@ShPakvel ShPakvel changed the title Fix security issue on update_user_email and correct token removal on password update. Don't remove confirm token on password update. Oct 24, 2024
@ShPakvel ShPakvel changed the title Don't remove confirm token on password update. Keep email confirmation token on password update. Oct 24, 2024
@ShPakvel
Copy link
Contributor Author

@josevalim, thanks! I see I missed protection we have by comparison of user emails in verify_email_token_query. I've reverted this part of code.

Regarding keeping email confirmation token. I think it should be done in both cases "password update" and "password reset". Removing "confirm" email token is inconvenience for user experience in both cases, and I don't see any security issue with keeping token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ShPakvel @josevalim