diff --git a/CHANGELOG.md b/CHANGELOG.md index a071bdad..7455f09a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## v1.0.12 (TBA) +* Added `:reset_password_token_store` configuration setting * To prevent timing attacks, `Pow.Ecto.Context.authenticate/2` now verifies password on a blank user struct when no user can be found for the provided user id, but will always return nil. The blank user struct has a nil `:password_hash` value. The struct will be passed along with a blank password to the `verify_password/2` method in the user schema module. * To prevent timing attacks, when `Pow.Ecto.Schema.Changeset.verify_password/3` receives a struct with a nil `:password_hash` value, it'll hash a blank password, but always return false. * To prevent timing attacks, the UUID is always generated in `PowResetPassword.Plug.create_reset_token/2` whether the user exists or not. diff --git a/lib/extensions/persistent_session/plug/base.ex b/lib/extensions/persistent_session/plug/base.ex index ecd5d2b2..b433ccdc 100644 --- a/lib/extensions/persistent_session/plug/base.ex +++ b/lib/extensions/persistent_session/plug/base.ex @@ -7,11 +7,13 @@ defmodule PowPersistentSession.Plug.Base do ## Configuration options * `:persistent_session_store` - the persistent session store. This value - defaults to `{PersistentSessionCache, backend: EtsCache}`. The `EtsCache` - backend store can be changed with the `:cache_store_backend` option. + defaults to + `{PowPersistentSession.Store.PersistentSessionCache, backend: Pow.Store.Backend.EtsCache}`. + The `Pow.Store.Backend.EtsCache` backend store can be changed with the + `:cache_store_backend` option. * `:cache_store_backend` - the backend cache store. This value defaults to - `EtsCache`. + `Pow.Store.Backend.EtsCache`. * `:persistent_session_ttl` - integer value in milliseconds for TTL of persistent session in the backend store. This defaults to 30 days in diff --git a/lib/extensions/reset_password/plug.ex b/lib/extensions/reset_password/plug.ex index 990de3cb..99fb8e33 100644 --- a/lib/extensions/reset_password/plug.ex +++ b/lib/extensions/reset_password/plug.ex @@ -38,6 +38,12 @@ defmodule PowResetPassword.Plug do To prevent timing attacks, `Pow.UUID.generate/0` is called whether the user exists or not. + + `:reset_password_token_store` can be passed in the config for the conn. This + value defaults to + `{PowResetPassword.Store.ResetTokenCache, backend: Pow.Store.Backend.EtsCache}`. + The `Pow.Store.Backend.EtsCache` backend store can be changed with the + `:cache_store_backend` option. """ @spec create_reset_token(Conn.t(), map()) :: {:ok, map(), Conn.t()} | {:error, map(), Conn.t()} def create_reset_token(conn, params) do @@ -48,7 +54,7 @@ defmodule PowResetPassword.Plug do |> Map.get("email") |> ResetPasswordContext.get_by_email(config) - maybe_store_reset_token(conn, user, token, config) + maybe_store_reset_token(conn, user, token, config) end defp maybe_store_reset_token(conn, nil, _token, _config) do @@ -65,6 +71,9 @@ defmodule PowResetPassword.Plug do @doc """ Fetches user from the store by the provided token. + + See `create_reset_token/2` for more on `:reset_password_token_store` config + option. """ @spec user_from_token(Conn.t(), binary()) :: map() | nil def user_from_token(conn, token) do @@ -83,6 +92,9 @@ defmodule PowResetPassword.Plug do @doc """ Updates the password for the user fetched in the connection. + + See `create_reset_token/2` for more on `:reset_password_token_store` config + option. """ @spec update_user_password(Conn.t(), map()) :: {:ok, map(), Conn.t()} | {:error, map(), Conn.t()} def update_user_password(conn, params) do @@ -114,6 +126,13 @@ defmodule PowResetPassword.Plug do end defp store(config) do + case Config.get(config, :reset_password_token_store, default_store(config)) do + {store, store_config} -> {store, store_config} + store -> {store, []} + end + end + + defp default_store(config) do backend = Config.get(config, :cache_store_backend, EtsCache) {ResetTokenCache, [backend: backend]} diff --git a/lib/pow/plug/session.ex b/lib/pow/plug/session.ex index cc21c111..306dba0a 100644 --- a/lib/pow/plug/session.ex +++ b/lib/pow/plug/session.ex @@ -27,11 +27,12 @@ defmodule Pow.Plug.Session do used it'll automatically prepend the key with the `:otp_app` value. * `:session_store` - the credentials cache store. This value defaults to - `{CredentialsCache, backend: EtsCache}`. The `EtsCache` backend store - can be changed with the `:cache_store_backend` option. + `{Pow.Store.CredentialsCache, backend: Pow.Store.Backend.EtsCache}`. The + `Pow.Store.Backend.EtsCache` backend store can be changed with the + `:cache_store_backend` option. * `:cache_store_backend` - the backend cache store. This value defaults to - `EtsCache`. + `Pow.Store.Backend.EtsCache`. * `:session_ttl_renewal` - the ttl in milliseconds to trigger renewal of sessions. Defaults to 15 minutes in miliseconds.