search

ncbo / ontologies_api

Hypermedia API for NCBO's ontology-related projects
http://data.bioontology.org
Other
25 stars 10 forks source link

add password reset token expiration #133

Closed alexskr closed 6 months ago

alexskr commented 6 months ago

Add password reset token expiration time to fix a security issue where reset token never expires and the same reset token can be used multiple times to reset password.

Changes:

Addresses https://github.com/ncbo/ontologies_api/issues/60

codecov-commenter commented 6 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (7580da8) 72.17% compared to head (e78397b) 73.06%. Report is 1 commits behind head on develop.

:exclamation: Current head e78397b differs from pull request most recent head 0a2b100. Consider uploading reports for the commit 0a2b100 to get more accurate results

Additional details and impacted files ```diff @@ Coverage Diff @@ ## develop #133 +/- ## =========================================== + Coverage 72.17% 73.06% +0.88% =========================================== Files 52 52 Lines 2897 2903 +6 =========================================== + Hits 2091 2121 +30 + Misses 806 782 -24 ``` | [Flag](https://app.codecov.io/gh/ncbo/ontologies_api/pull/133/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=ncbo) | Coverage Δ | | |---|---|---| | [unittests](https://app.codecov.io/gh/ncbo/ontologies_api/pull/133/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=ncbo) | `73.06% <100.00%> (+0.88%)` | :arrow_up: | Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=ncbo#carryforward-flags-in-the-pull-request-comment) to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

jvendetti commented 5 months ago

@alexskr - can you provide a description of how your modification changes this functionality? In other words, what happens now when an end user receives a reset password link via email? Can they only click the link once? We have a report on the support list from an end user that is getting an authorization error when they try to reset their password:

... while the credentials enable me to get a password reset email, when I click on the provided link to reset my password, I get the following error message: “Password reset not authorized with this token. Please reset your password again.” I have tried three times.

alexskr commented 5 months ago

I updated the description of the PR.

It takes 50+ seconds for the password reset to go through when I try to do it in production which is a problem that should be looked into. UI also doesn't provide any feedback to users that its working on the request which can cause people to leave the page before request completes