wordpress-indieauth icon indicating copy to clipboard operation
wordpress-indieauth copied to clipboard

Published 20 hours ago verified publisher icon indieweb

Invalidate Tokens on User Change

Open dshanske opened this issue 6 years ago • 2 comments
trafficstars

If user's password or email changes, consider invalidating their tokens.

dshanske avatar Mar 13 '19 23:03 dshanske

Specifically, use the after_password_reset hook to invalidate tokens associated with that account, on the theory a password reset means a possible account compromise. This is different than a password change.

The same could be required if the account changed the email address on file.

dshanske avatar Mar 14 '19 00:03 dshanske

Also, on the set_user_role hook, consider revoking tokens.

dshanske avatar Mar 14 '19 00:03 dshanske