-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): Hash password reset token - V08 #6573
Conversation
Great PR! Please pay attention to the following items before merging: Files matching
Files matching
Make sure to check off this list before asking for review. |
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## master #6573 +/- ##
==========================================
- Coverage 28.82% 28.75% -0.08%
==========================================
Files 3042 3042
Lines 187564 187573 +9
Branches 20759 20758 -1
==========================================
- Hits 54071 53932 -139
- Misses 132654 132802 +148
Partials 839 839
☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This means that existing password reset requests will no longer work, right? People will need to request again.
One thing we could do is create a migration that hashes existing password reset tokens so they continue to work.
Also, when reviewing the code I realised we changed the default value for the userManagement.emails.mode
setting to be smtp
instead of an empty string. This means that the check in the first line of @Post('/forgot-password')
will never work.
@@ -199,6 +199,22 @@ export class PasswordResetController { | |||
throw new NotFoundError(''); | |||
} | |||
|
|||
const validResetPasswordToken = await compareHash( | |||
resetPasswordToken, | |||
user?.resetPasswordToken as string, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
user?.resetPasswordToken as string, | |
user.resetPasswordToken as string, |
@@ -245,6 +260,21 @@ export class PasswordResetController { | |||
throw new NotFoundError(''); | |||
} | |||
|
|||
const validResetPasswordToken = await compareHash( | |||
resetPasswordToken, | |||
user?.resetPasswordToken as string, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
user?.resetPasswordToken as string, | |
user.resetPasswordToken as string, |
@krynble yes but they are there only valid for 1 hours and highly unlikely to happen. I would avoid adding a migration just for that! |
closing in favor of #6714 |
https://linear.app/n8n/issue/N8N-6495/v08-insecure-password-reset-and-account-invitation