search

feathers-plus / authentication-local-management

Adds sign up verification, forgotten password reset, and other capabilities to local feathers-authentication
MIT License
14 stars 2 forks source link

API to check if tokens are still valid, without changing password #7

Open eddyystop opened 5 years ago

eddyystop commented 5 years ago

Copied from https://github.com/feathers-plus/feathers-authentication-management/issues/2

eddyystop commented 5 years ago

eddyystop commented on Apr 28, 2017

A concern about security for short numeric tokens is the main reason for not implementing this (yet?). A rate limiter would be advisable that limited the retries per userId, perhaps once every few seconds. That, in addition, introduces state restricted to a single instance. Furthermore a function to check this without a rate limiter is not difficult for people to implement on their own.

eddyystop commented 5 years ago

This issue is being left open for people considering this question. The a-l-m rewrite has hardened against hacking. Implementing a feature like that requested here would open an easier attack vector then we've ever had, which I am not willing to do.

If your use case requires this, despite making it easier to hack your app, then its straightforward to write a hook similar to https://github.com/feathers-plus/authentication-local-management/blob/master/src/verify-signup.js . I suggest you include a rate limiter to slow down hacking attempts.