Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keep email confirmation token on password update. #5951

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

ShPakvel
Copy link
Contributor

@ShPakvel ShPakvel commented Oct 11, 2024

  • Keep email confirmation token during password update and reset.

When user decides to change password, mail can still be waiting confirmation.

Reason why user changes password is not important and
does not lead to any security issue related to email confirmation.

Logic is the same for update and reset of password.

Covered by tests for update and reset - different tokens are created, and asserted that all except confirm token are deleted.


  • Add missing required attribute to password confirmation.

During `update_user_email` we have to clean up not only chagne email token,
but also all tokens that were send to email previously.
Such as "confirm" and "reset_password" tokens.
This is because they were sent to previous email,
which potentially can be compromised at this point,
as it can be one of reasons to chagne email initially.
When user decides to change password, mail can still be waiting confirmation.

Reason why user changes password is not important and
does not lead to any security issue related to email confirmation.
So related part of logic is the same for update and reset of password.
@ShPakvel ShPakvel changed the title Fix security issue on update_user_email. Fix security issue on update_user_email and correct token removal on password update. Oct 12, 2024
@josevalim
Copy link
Member

Thank you for the PR. Just one tiny correction:

Fix security issue on email update.

I don't believe there is a security issue here because, when we reset and confirm password, we validate that user email matches the token email.

This PR should be exclusively about improving the user experience by not deleting confirmation tokens. All other aspects are protected today.

@josevalim
Copy link
Member

To be clear, I believe the PR should only change this line: https://github.com/phoenixframework/phoenix/pull/5951/files#diff-501abec1a66c387cce697c48f3c433e58c4fecd77bcd39765d0f3f982d96c39cL202

And update one of the existing tests. :)

Previous email tokens are treated as invalid. Protected by email comparison in `verify_email_token_query`.
@ShPakvel ShPakvel changed the title Fix security issue on update_user_email and correct token removal on password update. Don't remove confirm token on password update. Oct 24, 2024
@ShPakvel ShPakvel changed the title Don't remove confirm token on password update. Keep email confirmation token on password update. Oct 24, 2024
@ShPakvel
Copy link
Contributor Author

@josevalim, thanks! I see I missed protection we have by comparison of user emails in verify_email_token_query. I've reverted this part of code.

Regarding keeping email confirmation token. I think it should be done in both cases "password update" and "password reset". Removing "confirm" email token is inconvenience for user experience in both cases, and I don't see any security issue with keeping token.

@ShPakvel
Copy link
Contributor Author

ShPakvel commented Dec 9, 2024

code is actualized with main branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants