Enable increased login security #2651

pglombardo · 2024-10-20T17:15:30Z

Description

This PR improves the security of logins.

If you're not using logins in your Password Pusher instance, this PR won't apply to you.

Changes:

Confirmation, password recovery and other workflows will now behave the same regardless if the e-mail provided was right or wrong. This avoids confirming whether an account exists or not in the system.
Account confirmations must now be done within 3 days otherwise the user will have to request a new confirmation token.
User sessions now timeout in 30 minutes of no activity. Being a security product with sensitive data, this is appropriate.

📚 Examples / docs / tutorials / dependencies update
🔧 Bug fix (non-breaking change which fixes an issue)
🥂 Improvement (non-breaking change which improves an existing feature)
🚀 New feature (non-breaking change which adds functionality)
💥 Breaking change (fix or feature that would cause existing functionality to change)
🔐 Security fix

I've written tests (if applicable) for all new methods and classes that I created. (rake test)
I've added documentation as necessary so users can easily use and understand this feature/fix.

Enable increased login security

43a83f8

pglombardo added enhancement security labels Oct 20, 2024

Require account confirmation

68b4bc4

pglombardo merged commit 6fa791a into master Oct 20, 2024
5 checks passed

pglombardo deleted the security-improvements branch October 20, 2024 19:15