Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security: Is `passwordChange` safe?

See original GitHub issue

The problem

passwordChange is called with data.value.user, and not the signed in user:

https://github.com/feathers-plus/feathers-authentication-management/blob/master/src/service.js#L66

Which suggests that a logged in user may change password for any users, by submitting a user which is not himself:

app.service('authManagement').create({
  action: 'passwordChange',
  value: {
    user: 'this.is.not@me.com'
    password: 'hijackedYourAccount'
  }
})

Expected behavior

passwordChange should use hook.params.user

Issue Analytics

State:
Created 6 years ago
Comments:14

Top GitHub Comments

1reaction

claustrescommented, Sep 3, 2018

As far as I understand the module compares first the input old password to the current password of the user retrieved using the input email (see https://github.com/feathers-plus/feathers-authentication-management/blob/master/src/passwordChange.js#L34). This means that if you provide the email of someone else you need to know his current password to change it, so it is safe. Maybe this issue refers to a previous version or I miss the point ?

0reactions

eddyystopcommented, Nov 10, 2018

The only work I see remaining is having authentication-local check the isVerified field (if it exists) in the user-entity record. I’ve moved this to https://github.com/feathers-plus/authentication-local-management/issues/4 so I can close the multiple issues raised here.

Full details on the authenticated-local-management rewrite are posted to https://github.com/feathers-plus/authentication-local-management/blob/master/misc/upgrading.md