harm-meijer
commented
1 year ago @samuelkilada You are correct, the reset password works like this for demo only. In production you will need a proxy to handle creating the token and email it to the user.
Closed samuelkilada closed 1 year ago
harm-meijer
commented
1 year ago @samuelkilada You are correct, the reset password works like this for demo only. In production you will need a proxy to handle creating the token and email it to the user.
samuelkilada
commented
1 year ago @harm-meijer Thanks very much for the quick reply. I would highly recommend adding a 'todo" statement or some kind of security warning because there may be many developers who end up implementing this feature in this way without realizing the security implications.
harm-meijer
commented
1 year ago @samuelkilada If you create the api client with mobile and web application scope as per the instructions then reset password link would not be available.
I will add a comment in the forgot password files as well.
samuelkilada
commented
1 year ago @harm-meijer That makes sense. Thanks for doing that!
Hello. I don't know if I'm missing something, but I noticed that in this file it creates a reset password token:
https://github.com/commercetools/sunrise-spa/blob/a556c17e158d8beb02d5d14b6c70b7ec114e03e7/src/presentation/fashion/Login/ForgotPassword/ForgotPassword.js
const createToken = () => { return createResetToken(form.value.email).then( (result) => gotoResetToken( result.data.customerCreatePasswordResetToken .value ) ); };If you look at the gotoResetToken function, it looks like this:
https://github.com/commercetools/sunrise-spa/blob/fc2f51e25ffa0c9ab05b5ec545ca1221342dc691/composition/useCustomerTools.js
const gotoResetToken = (token) => router.push({ name: 'reset-password', params: { token }, });In other words, it's generating a reset token and then redirecting the user to the reset password page with that token! That means you could enter anyone's email address and reset their password with it. Am I missing something here?