pump.io icon indicating copy to clipboard operation
pump.io copied to clipboard

Published 20 hours ago verified publisher icon pump-io

OAuth tokens still valid after changing password

Open larjona opened this issue 10 years ago • 2 comments

Hi I have changed my user password via the webUI, and checked that the old password does not work, and the new one works, in the webUI. Great.

However, I still can use the clients without doing anything. It seems it's because the OAuth token/secret didn't change; shouldn't be needed that the pump.io site revokes the oauth keys when the user changes the password? This way it would force the user to authenticate next time she uses any client too (not only in the web interface).

larjona avatar Apr 08 '14 19:04 larjona

I'm wondering if #543 would resolve this issue as that would give you a mechanism to revoke the OAuth tokens if you felt they had been compromised?

tsyesika avatar Apr 13 '14 13:04 tsyesika

Yes, we should definitely clear the OAuth tokens when your password changes, to force re-authentication.

evanp avatar Jun 22 '14 16:06 evanp