Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Securely store password reset tokens
See original GitHub issueAs displayed in https://github.com/feathersjs/feathers-authentication-management/blob/master/src/sendResetPwd.js#L37, it doesn’t look like this module hashes the password reset tokens when it adds them to the user’s data store. However, reset tokens are a credential useful to an adversary in the case of a data breach, similar to that of passwords themselves. It is a lot less work to use a reset token to take over a user’s account than it is to brute-force bcrypt hashes.
I think that the reset tokens should be sent, and then the user model patched with the hashed variant of the sent token. This will mitigate a number of situations in which the database can be read (and not necessarily written to) by an adversary. A realistic situation I brought up in a recent blog post is a situation in which the database is directly exposed for reading to the internet due to misconfiguration. An adversary can issue password resets for users and hijack accounts without needing write access to the user models of the applications.
I didn’t issue a PR for this as I’m not entirely familiar with the architecture of Feathers, and it seems that a change of this nature would be a breaking change for existing reset tokens unless the user model was flagged or migrated in some fashion, a non-trivial task when the hashing algorithm and underlying data store can be changed. These are architectural decisions best left to maintainers.
Ways I can see this happening:
- In new versions of
feathers-authentication-management,patchUseralso patches user models withisSecureToken: trueas a stopgap, and the code branches to check old, active reset tokens. New reset tokens are hashed and checked against the hashed variant. - Don’t worry about it. Tokens have a short expiration date, and the token not matching just forces a new reset for some users stuck during the migration process.
- Migrate old plaintext tokens upon upgrade to the new module. This would likely need some way to detect whether an existing token was hashed, which is fuzzy at best given that the password hash algorithm can be changed out by a user.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:9 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Does that mean you are indifferent at this stage as to which way it goes? If I’m writing the PR for this I’m going to choose the “break old reset tokens” option because it’s by far the easiest to develop and test for. 😀
The a-l-m rewrite has an option.passwordfield. The default is obtained from config/default.json.
Full details at https://github.com/feathers-plus/authentication-local-management/blob/master/misc/upgrading.md