search

rcpch / rcpch-audit-engine

Epilepsy12 Audit Platform
https://e12.rcpch.ac.uk/
GNU Affero General Public License v3.0
5 stars 5 forks source link

Repeatedly asked to reset password #988

Closed AmaniKrayemRCPCH closed 3 months ago

AmaniKrayemRCPCH commented 4 months ago

This popped up today, so I reset my password:

Image

However, I've logged in twice since and each time it asks me to reset my password. I can bypass it by clicking 'Home' in the top right.

eatyourpeas commented 4 months ago

I have tried this in staging, live and development and am finding the expected behaviour so I am not sure I can explain it. I have found a vulnerability though that once the password has expired on redirecting to the password reset page the user was not logged out, so it would be possible to click on the home link and stay logged in. I have fixed this in the next update but it does not solve your problem. Perhaps if you could try logging in, be redirected to the password reset page, enter your email and at that point logout. Then click on the link in the email and use this to reset the password. Then try logging in and report back here?

mbarton commented 4 months ago

Sorry for going on a tangent a bit but given we have two factor authentication I'm not sure expiring passwords buys us much additional security.

Disallowing passwords from known breaches (eg using the haveibeenpwned database) would probably be a stronger defense.

eatyourpeas commented 4 months ago

I am happy with this - we only included it because it was specifically listed as a vulnerability in the PenTest report under amber. I think passwords are 10 characters for users, and 16 for superusers, with a 90 day password lifespan and a 30 minute lockout for more than 5 consecutive failed attempts.

AmaniKrayemRCPCH commented 4 months ago

It worked! I logged out before using the password reset link, and it hasn't asked again.

eatyourpeas commented 4 months ago

great thank you. The next merge from staging into live should fix this then as it automatically logs people out when password has expired. This is currently not happening and I think leads to this error. Once @nikyraja is happy I will merge staging into live and this will hopefully fix this issue.

nikyraja commented 4 months ago

thanks all! happy for this to be made live.

eatyourpeas commented 3 months ago

this is now merged. Please reopen if ongoing issues regarding password reset.