Misago icon indicating copy to clipboard operation
Misago copied to clipboard
verified publisher icon rafalp

Issues with credentials changing

Open rafalp opened this issue 2 years ago • 3 comments

Some issues with credentials changing that could use fixes:

  • Confirmation link in e-mail is "Save changes"
  • Error page when token is invalid focuses on "link belongs to other user", it should explain that links are valid only for current session
  • Part of token's seed is users last visit date, see how often that gets updated and consider removing it for separately stored expiration time. Maybe store token as JWT and e-mail user a signature of it?

rafalp avatar Apr 18 '23 20:04 rafalp

It's also worth it to see what phpBB3, Discourse and Invision Community are doing here.

rafalp avatar Nov 08 '23 21:11 rafalp

Django auth has a token generation utility that encodes user's id, email, password, last login and a timestamp. This is same data that Misago uses.

But maybe the issue is that in case of forgotten password reset token, the user can't change their last login field by mistake, while for credentials they do?

rafalp avatar Nov 11 '23 14:11 rafalp

I am also unable to reproduce this issue on Misago forums (its working there) nor on reporter's site (because it's not sending emails).

rafalp avatar Nov 11 '23 22:11 rafalp