Closed dbauszus-glx closed 1 week ago
simon-leech
commented
1 week ago When a user has 3 or more failed password attempts. They should be forced to complete a password reset to unblock their account.
When a user has 3 or more failed password attempts and attempts to login - they should always see the 'reset your password' message and get the same email, not the 'account not verified or approved one'.
simon-leech
commented
1 week ago What happens if the initial admin for that instance cannot access the initial email?
dbauszus-glx
commented
1 week ago There is no email. Email must be optional. In order to test this no transport should be set. You register 'whatever' as user account.
The admin logs in and verifies 'whatever' which will approve the account.
If 'whatever' resets their password an admin will need to toggle the verification, as in turn it off and then on again. At this point the password will have been reset.
The verification can not be removed on password reset as otherwise anybody who knows your account name (eg. email) would be able to reset your password and remove your authentication.
These meets the condition for email to be optional and admin can never access passwords.
It is also not possible to retrieve a password from the database directly as they are stored encrypted.
dbauszus-glx
commented
1 week ago This should be resolved in the USER API review.
The update method as called from the admin panel will do the verification bits.
let verification_by_admin = ''
if (req.params.field === 'verified' && req.params.value === true) {
verification_by_admin = `
, password = password_reset
, password_reset = NULL
, failedattempts = 0
, verificationtoken = NULL
, approved = true
, approved_by = '${req.params.user.email}|${ISODate}'
`
}
// Get user to update from ACL.
const rows = await acl(`
UPDATE acl_schema.acl_table
SET
${req.params.field} = $2
${verification_by_admin}
${approved_by}
WHERE lower(email) = lower($1);`,
[email, req.params.value])
if (rows instanceof Error) {
return res.status(500).send('Failed to access ACL.')
}The verification can be called directly by an admin.
http://localhost:3000/api/user/update?email=dennis@mail.com&field=verified&value=trueTo discuss. Should admin receive verification token?
A user may not have access to a verification token because email [transport] is not configured or the email is blocked.
Administrator can manually verify accounts in the ACL through the admin view. However, manual verification will not reset failed login attempts or the password.
It should be possible for administrator to retrieve a verification token in order to provide this by other means than email. Allowing a user to reset their password without access to email.
Should manual verification reset the password?