[Koha-bugs] [Bug 30962] REST API: Add endpoint /auth/password/validation
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Jan 4 02:05:29 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962
--- Comment #22 from David Cook <dcook at prosentient.com.au> ---
(In reply to Jonathan Druart from comment #11)
> 1. Missing tests (you must provide tons of tests to cover the different
> situations)
> 2. Route's name should not be a verb (/password/validation maybe?)
> 3. Routes that returns empty should return 204
> 4. It's always returning "Invalid password" even for other failures (like
> too many attempts)
> 5. It allows you to check for pwd validation for a user you don't know their
> userid (you can force brute only by knowing the patron's id). I don't think
> it's a security concern as userid could be guessed anyway (?)
> 6. following 5, you can lock any accounts if FailedLoginAttempts is set, no
> need to know the userid list. How bad is that?
I think that I've addressed all these points now :)
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list