Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

forced password reset #232

Closed
jywarren opened this issue Feb 21, 2015 · 8 comments
Closed

forced password reset #232

jywarren opened this issue Feb 21, 2015 · 8 comments
Labels
break-me-up break up for cleaner code separation, discrete tests, and, easier and iterative collaboration enhancement explains that the issue is to improve upon one of our existing features help wanted requires help by anyone willing to contribute

Comments

@jywarren
Copy link
Member

@btbonval sez:

It'd be nice to have a feature for admins which allows them to forcibly change a user's password to some kind of internally generated nonsense, which is emailed to the user. The admin need never see the generated password.
If an account is compromised, this would be a simple fix so long as the user's email address is a trusted out of band communication channel.

This should actually be fairly simple to implement. While trying to reset a password by hand, I found that a user's hashed password and salt may be changed using the password attribute. The reset_key attribute allows the user to reset his or her password by typing in the generated key; this should probably be done using the pre-existing functions.

For a quick preview, it might look like this:

if current_user && current_user.role != 'moderator' && current_user.role != 'admin':
  flash[:error] = 'YOU SHALL NOT PASS!'
else:
  user = User.find_by_whatever(something distinct)
  user.password = random_generator()
  user.reset_key = key_generator()
  user.save!
  email_key_to_user()

I can't test this personally due to #166

It turns out no accounts were (as yet) compromised. This ticket is still useful should an account be compromised at a later date, but there is less urgency.
@jywarren jywarren added the enhancement explains that the issue is to improve upon one of our existing features label Feb 21, 2015
@jywarren jywarren mentioned this issue Feb 21, 2015
Closed
@btbonval
Copy link
Member

Not sure if I meant this originally, but I see this as being a pretty simple process

  1. change the user's password to random gibberish using JS or Ruby and don't report that password to anyone. Effectively the user account is disabled from logins until the password is changed.
  2. Issue a password reset key using the conventional mechanism. The only difference is that the user didn't request it by clicking a button on the UI, otherwise the same internal mechanisms should work.

@jywarren
Copy link
Member Author

jywarren commented Nov 15, 2016
edited
Loading

I'd like to break this up into smaller pieces:

Marking it break-me-up so we can give people next steps and get this done.

@jywarren jywarren added break-me-up break up for cleaner code separation, discrete tests, and, easier and iterative collaboration help wanted requires help by anyone willing to contribute labels Nov 15, 2016
@Kevin-Kawai
Copy link
Contributor

@jywarren Hi I've been looking around issues trying to find something I can take part in. Is this issue still live? I think I generally understand the task and what to do. If it's still something that needs to get done I'd be super excited to give it a go!

@jywarren
Copy link
Member Author

jywarren commented Dec 7, 2017 via email

@Kevin-Kawai
Copy link
Contributor

@jywarren alrighty sounds great! I'll take a crack at it over the weekend and let you know if I run into any trouble.

@jywarren
Copy link
Member Author

jywarren commented Dec 8, 2017 via email

@Kevin-Kawai Kevin-Kawai mentioned this issue Dec 8, 2017
Merged
3 tasks
@Kevin-Kawai
Copy link
Contributor

@jywarren Hey I was able to get some time to work on this issue and created a PR #1834. It's incomplete and still a work in progress. I had a bit of trouble with routes not working on my local machine so I had to change them but they are probably correct the way they are so I will change them back.

If you have the chance to look through this and tell me if I'm on the right track that would be great. Thanks in advance!

@jywarren
Copy link
Member Author

jywarren commented Mar 1, 2018

Oh oops, this is now done!

@jywarren jywarren closed this as completed Mar 1, 2018
@jywarren jywarren mentioned this issue Dec 3, 2019
Closed
@crisner crisner mentioned this issue Feb 4, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
break-me-up break up for cleaner code separation, discrete tests, and, easier and iterative collaboration enhancement explains that the issue is to improve upon one of our existing features help wanted requires help by anyone willing to contribute
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jywarren @btbonval @Kevin-Kawai