[Koha-bugs] [Bug 30962] REST API: Add endpoint /patrons/:patron_id/check_password
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Aug 9 10:27:09 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962
Jonathan Druart <jonathan.druart+koha at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jonathan.druart+koha at gmail.
| |com
Status|Signed Off |Failed QA
--- Comment #11 from Jonathan Druart <jonathan.druart+koha at gmail.com> ---
1. Missing tests (you must provide tons of tests to cover the different
situations)
2. Route's name should not be a verb (/password/validation maybe?)
3. Routes that returns empty should return 204
4. It's always returning "Invalid password" even for other failures (like too
many attempts)
5. It allows you to check for pwd validation for a user you don't know their
userid (you can force brute only by knowing the patron's id). I don't think
it's a security concern as userid could be guessed anyway (?)
6. following 5, you can lock any accounts if FailedLoginAttempts is set, no
need to know the userid list. How bad is that?
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list