[PATCH] secure password reset implementation

Andrew Shadura andrew at shadura.me
Sun Jul 26 18:58:42 UTC 2015


On 23/07/15 15:53, Mads Kiilerich wrote:
> On 07/19/2015 03:35 PM, Andrew Shadura wrote:
>> # HG changeset patch
>> # User Andrew Shadura <andrew at shadura.me>
>> # Date 1431821238 -7200
>> #      Sun May 17 02:07:18 2015 +0200
>> # Node ID 98cb64feddfb89f106f66763462061fd2ca3f412
>> # Parent  f103b1a2383bc4fba5d28f9732ba832025e3bf00
>> secure password reset implementation
> 
> A couple of other things:

> It should make sure it doesn't go too far with changing passwords when
> using external authentication (but also not reveal too much information
> too early). (I guess it would be nice if each authentication module had
> a customizable "tell the user how to change the password" string...)

Right, I have to fix this.

> The user is redirected to a " Code you received in the email" page ...
> but the mail only contains a URL - no mentioning of any code.

Could you please check once more? Because it's one of the things I have
fixed in this revision of the patch.

-- 
Cheers,
  Andrew


More information about the kallithea-general mailing list