Pow security practices

Some of the below is based on OWASP or NIST SP800-63b recommendations.

User ID

The user_id_field value is always treated as case insensitive
If the user_id_field is :email, it'll be validated based on RFC 5322 (sections 3.2.3 and 3.4.1) and RFC 5321 with unicode characters permitted in local and domain part

Password

The :password has a minimum length of 8 characters
The :password has a maximum length of 4096 bytes to prevent DOS attacks against Pbkdf2
The :password_hash is generated with PBKDF2-SHA512 with 100,000 iterations

Session management

The session value contains a UUID token that is used to pull credentials through a GenServer
The credentials are stored in a key-value cache with TTL of 30 minutes
The credentials and session are renewed after 15 minutes if any activity is detected
The credentials and session are renewed when user updates

Timing attacks

If a user couldn't be found or the :password_hash is nil a blank password is used
A UUID is always generated during reset password flow

Information leak

If PowEmailConfirmation extension is used or registration has been disabled, the reset password flow will always return success message
If PowEmailConfirmation extension is used and a user can't be found, the registration and sign in page will redirect the user with a message to confirm their e-mail before they can sign in

Browser cache

The sign in, registration and invitation acceptance page won't be cached by the browser