yii2-user
yii2-user copied to clipboard
dektrium
fixed information on resend password and recovery, related #856
| Q | A |
|---|---|
| Is bugfix? | yes |
| New feature? | yes |
| Breaks BC? | no |
| Fixed issues | related #856 |
Currently you can enter any e-mail address into recovery or resend password and you'll also get a success message even if the mail does not exists (eg. you've made a typo).
This PR adds a warning flash in these cases and outputs only success flashes when appropriate.
The possibility of "verifying" the existence of an email is not a very safe option.
I'm not sure this should be done.
The author of #856 has already reached the same conclusion.
But always showing a success message is also not a appropriate solution. Any better ideas?
Hi, shouldn't be the recovery form be validated on the existance of the user mail before sending?
I agree that having an unconditional success message is a problem. What do you think of showing a message saying that the process was successful CASE EMAIL IS CORRECT.
Consider the following situation: a malicious person has a list of users leaked from a site and can test the existence of users with the same email and use the same password to access all accounts found.
I have no doubt that it is a major security breach. The remedy against this would be a control to mitigate brute-force attacks, but that would not be feasible to be implemented here in that extension.
Consider the following situation: a malicious person has a list of users leaked from a site and can test the existence of users with the same email and use the same password to access all accounts found.
But you do not need the password resend form for that, just use the login.
The remedy against this would be a control to mitigate brute-force attacks, but that would not be feasible to be implemented here in that extension.
I don't like them, but what's about an (optional) captcha?
Consider the following situation: a malicious person has a list of users leaked from a site and can test the existence of users with the same email and use the same password to access all accounts found
But ... he can also try to login directly, what would be the difference here? Don't like almost all web-sites disclose the information that an account exists? But yes, actually there should the tools to mitigate brute-force, also for the above.
add "if possible"/"if email correct"
It would be technically more correct, but makes no difference on the usability side.
but makes no difference on the usability side.
I myself ran into the problem of misunderstanding when I tried to recover the password of a non-existent record (after the rollback of migrations)
I try it again and again. I can see "message send" and don't see email))) I check my smtp settings and go find error in code) And I forgot about it and repeat this after year)))
@schmunk42 https://github.com/2amigos/yii2-usuario/blob/master/src/User/Service/PasswordRecoveryService.php#L43
In yii-usuario If we don't find the email, we throw an error. Also, we send a token that requires verification in order to modify it. Only the owner of the email is allowed to modify the password: https://github.com/2amigos/yii2-usuario/blob/master/src/User/Controller/RecoveryController.php#L136
@tonydspaniard Thanks for your feedback.
Are there measurements in usuario to prevent brute-force attacks or disclosing too much information, such if a user exists, like captchas, etc...?
@schmunk42
Are there measurements in usuario to prevent brute-force attacks or disclosing too much information, such if a user exists, like captchas, etc...?
Yes sir, we use Google Recaptcha and also included Google 2Auth Authenticator.
- http://yii2-usuario.readthedocs.io/en/latest/helpful-guides/how-to-use-recaptcha-widget/
- http://yii2-usuario.readthedocs.io/en/latest/helpful-guides/how-to-implement-two-factor-auth/
Any updates on this? I stumbled upon it in a project which requires this change.
It would not be good to implement this change without there being a control to avoid brute force.
@thiagotalma Please make a proposal how that should look like.
- always showing success is IMHO not an option
- not showing a message on failure is the same like in the PR
A property to turn on/off messages completely?
How about my opinion?
complex single message like "A message has been sent to your email address. It contains a confirmation link that you must click to complete registration. Of course, if you sure about registration on this email"
How about adding an option extendedUserFlashMessages which can be set to true to enable this feature?
How about adding an option extendedUserFlashMessages which can be set to true to enable this feature?
I will forget to enable this feature ;)
So... I can see this in Nvidia resend form
something like ... "Email will be send (if associated with nvidia user) "...
Yeah, I also saw different versions. Recently I had to mail GitLab support to ask which e-mail is registered :)
An option would be cool though
Von meinem iPhone gesendet
Am 31.05.2018 um 14:47 schrieb bscheshirwork [email protected]:
So... I can see this in Nvidia resend form
something like ... "Email will be send (if associated with nvidia user) "...
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.