Closed scottinet closed 4 years ago
@rolljee > it's from #70 so you should put it there :)
@scottinet I put this PR in draft to prevent someone to merge it since #70 has to be merged first. Maybe you can change the target branch and merge it?
I'll wait for #70 to be merged instead :-)
:warning: depends on #70
Description
The
requirePassword
option forces users to pass their current password to be able to update or delete their user credentials. Problem: the plugin requires that current passwords are put in the querystring for HTTP requests. Querystrings can be intercepted, and they are also logged as-is by Kuzzle loggers (and proxies), leaking user passwords.With this PR, the plugin asks for the current password to be put in a
currentPassword
body argument.Preventing a breaking change
To prevent a breaking change, the old manner of providing the current password still works. But it has been tagged as
@deprecated
in the code, and its documentation has been removed. Our current clients using this way of providing the current password will be urged to migrate to the new API ASAP.Once done... we may remove this deprecated code without further notice.