https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962 --- Comment #22 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #11)
1. Missing tests (you must provide tons of tests to cover the different situations) 2. Route's name should not be a verb (/password/validation maybe?) 3. Routes that returns empty should return 204 4. It's always returning "Invalid password" even for other failures (like too many attempts) 5. It allows you to check for pwd validation for a user you don't know their userid (you can force brute only by knowing the patron's id). I don't think it's a security concern as userid could be guessed anyway (?) 6. following 5, you can lock any accounts if FailedLoginAttempts is set, no need to know the userid list. How bad is that?
I think that I've addressed all these points now :) -- You are receiving this mail because: You are watching all bug changes.