mirror of
https://github.com/lldap/lldap.git
synced 2026-04-25 08:15:52 +03:00
[GH-ISSUE #37] Changing password should require a current password check #21
Labels
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/lldap-lldap#21
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @nitnelave on GitHub (Sep 16, 2021).
Original GitHub issue: https://github.com/lldap/lldap/issues/37
Currently that is achieved through the UI logic only, but anyone hitting the API can change their own password without verifying that they know the current one. It's probably okay for now, but it enables the following attach scenario:
User is logged in on a public/unattended computer OR an attacker gets hold of a currently valid auth token.
Attacker can use a purpose-built client to change the password of the victim.
To solve this, we can disallow the "register" opaque methods for any non-admin, and add a new endpoint to change the password that does both steps in parallel: establishing a new password while checking the old one. Both OPAQUE messages are sent for every step.
@nitnelave commented on GitHub (Nov 20, 2021):
This is probably minor, and if we wanted to do it right it would complicate things when taking the password reset into account.