-
-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chore/98 invalidate jwt on reset password #459
Conversation
…ctly instead of generating a bunch of policies based on attribute values
…esn't match the user in the DB
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my previous comment
…ience by default.
Thanks, I'm seeing this date issue as well. I also noticed that the test has a weird failure mode. When the test does a submit of the reset form, the reset fails (due to a bug), however it then just sends the user to the home page, without any indication that the password change failed. This is also a bug in the front end, if a password reset fails (for any reason) we need to tell the user, not just send them home. Create #465 to track this |
…nd reusing that to verify the link has expired
…rs to aide debugging auth issues.
@myieye test's are working again, please take another look. For the date issue I just truncated it to unix seconds and used that for the comparison instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like things are working well.
This does introduce some strange behaviour, because unrelated properties all depend on the same date: E.g. user display name, email, password etc.
This will only matter in edge cases, but I expect there will be a few weird situations:
E.g.
- A user registers, fixes their display name and then tries to verify their email address.
- An admin resets a user's password (shouldn't happen I know, but it will 😆), the user logs in, sees: "oh, I should verify my email address", looks for the email => 💥
We probably just need to wait and see what happens.
We could potentially change the message to something like "The link is no longer valid due to changes to your account."
I'll leave that up to you.
Oh, I know what we should change. We should only validate the date if the user is changing their email; not if they're verifying the email address that we already have in the db |
…email isn't changing
closes #98
sends the user to the login page with an error when they click an expired jwt link where the jwt was expired because the user has been updated since it was generated.
@myieye I can't get the test to work, it's kinda hard to follow and figure out what I need to do to click on the link again.