postfixadmin

Commit Graph

Author	SHA1	Message	Date
Sylvain Tissot	ffb84283c2	Harden password reset process The improvements are: - Die with an explicit message when a user is trying to reset his lost password and the option is disabled in config - Redirect user to main page after password change using relative URL - Don't leak info whether user exists or has recovery info defined - Throttle password reset requests to prevent brute force attacks - Show phone/alt email fields in mailbox/admin edit form only when the password reset option is enabled - Make database upgrade code compatible with other databases types - Use the existing password generator to generate OTP. It is now stored in database, unique to each user, valid only for 1 hour and can only by used once.	8 years ago
Sylvain Tissot	9c9ba64a7f	Allows a user or admin to reset his/her forgotten password with a code sent by email/SMS #18	8 years ago

Author

SHA1

Message

Date

Sylvain Tissot

ffb84283c2

Harden password reset process

The improvements are:

- Die with an explicit message when a user is trying to reset his lost password and the option is disabled in config
- Redirect user to main page after password change using relative URL
- Don't leak info whether user exists or has recovery info defined
- Throttle password reset requests to prevent brute force attacks
- Show phone/alt email fields in mailbox/admin edit form only when the password reset option is enabled
- Make database upgrade code compatible with other databases types
- Use the existing password generator to generate OTP. It is now stored in database, unique to each user, valid only for 1 hour and can only by used once.

Sylvain Tissot

9c9ba64a7f

Allows a user or admin to reset his/her forgotten password with a code sent by email/SMS #18

2 Commits (3bd7ef2b0a4bc5ef45aaaaf68d63ef0a1963f6ec)