-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add revokeSessionOnPasswordReset option. Closes #1584 #1597
Add revokeSessionOnPasswordReset option. Closes #1584 #1597
Conversation
}) { | ||
if (typeof revokeSessionOnPasswordReset !== 'boolean') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe move to the config validate ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do
Current coverage is
|
@drew-gross updated the pull request. |
So after this PR' sessions won't be revoked on password reset? That seems like a security flow as an impersonator would be able to use and old session. |
Thats true, it's a marginal security risk. But, it's available in Parse.com, and there could be apps depending on this behaviour, so I don't think it's too bad, especially if your app has a session management page. Also sessions are revoked by default, you need to opt in to the less secure behaviour. |
Looks like it's The opposite as the default value is false. Is that intended? I'm fine with either, but that changes the default behavior and may impact existing deployments replacing the behavior by a slightly less secure onez |
Default looks like true from where I'm sitting: https://github.com/ParsePlatform/parse-server/pull/1597/files#diff-fd794f727e5f1cd4aa9c54051208b6c9R118 |
Was reading the wrong line. Sorry about that |
No description provided.