W
Wasp-lang4mo ago
Johnny

Password Reset token invalidation

Hey, could it be that a password token can be reused once it is used? Tried it 3 times with the same token and it changed every time the password
11 Replies
MEE6
MEE64mo ago
Wohooo @Johnny, you just became a Waspeteer level 2!
kapa.ai
kapa.ai4mo ago
Hi @Johnny. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- Based on the information available in the provided knowledge sources, there isn't a direct answer to your question about whether a password reset token can be reused in Wasp. However, it's generally a good security practice to invalidate a password reset token once it's been used, to prevent potential misuse. In the context of JWTs, there was a discussion in the Wasp community about token invalidation. One of the points raised was that there's no way for the backend to know whether a received token has been invalidated (i.e., logged out) without keeping state on the server. After you log out/invalidate a session, the session id is no longer valid authentication for anything (as opposed to a stateless JWT which can still be used) source (https://github.com/wasp-lang/wasp/issues/573). If you're experiencing an issue with password reset tokens not being invalidated after use, it might be worth raising this as an issue in the Wasp GitHub repository or discussing it further in the Discord community. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Johnny, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
miho
miho4mo ago
@Johnny the password token is a JWT token we generate that expires after some time (30 minutes). You can reuse it until it expires 🤷‍♂️ What would be the ideal scenario for you? cc: @martinsos
Johnny
Johnny4mo ago
@miho My idea would be, to insert a hash value that is a combination of user/userid+his current password Into the jwt payload It would be validated on sending, is the hash matches the current data, it is a valid token Otherwise it isnt
miho
miho4mo ago
I'm having trouble understanding why would you need that? 🙂 The current password reset token is a signed JWT which can't be faked since it's signed by the secret only available on the backend
Johnny
Johnny4mo ago
You would do everything like it is done now Sogn it, check if it is signed by thr backend etc. Just add a validation hash to the payload once it is being generated To check if the password is the dame as it was, once the password reset token got requested After the user changes the password and would use the same token again, the hash wouldnt match with the newly generated one - due to the already changed password -> the token would immadetly be "invalidated" once it was sucesfully used
miho
miho4mo ago
Maybe I'm not seeing some security aspect of the recommendation. The only person that has access to the link for password reset should be the person who has registered with that email. If that person decides to reset their password 3 times with the same token, that's not really an issue? @Wasp Team am I not seeing something? 😄 The method of storing the password hash in the token might not be the best from the security perspective since you are leaking the password hash and you can decode the token easily: https://jwt.io/
JWT.IO
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
Filip
Filip4mo ago
If that person decides to reset their password 3 times with the same token, that's not really an issue? Am I not seeing something
I can't speak on the security implications of doing it this way, but I can say that most sites I've dealt with don't let you use password reset links more than once (at least to the best of my knowledge, I've never extensively tested it) @Johnny You can tell us more if you know Ok, @miho, I found an SO question and answer. It's our exact use case and arguments make sense: https://security.stackexchange.com/a/244855
miho
miho4mo ago
Makes sense, I've created an issue for us https://github.com/wasp-lang/wasp/issues/1933
GitHub
Make email verification and password tokens one-time use only · Iss...
According to https://thecopenhagenbook.com/password-reset and https://security.stackexchange.com/a/244855 it makes sense to make the tokens one-time use only to ensure that bad actors can't int...
martinsos
martinsos4mo ago
Nice!
Johnny
Johnny4mo ago
Thats why I have mentioned multiple fields, so it cant be traced back - lets say the userid+usermail+password to create the hash. The same mechanism could be used for a email change token etc.
Want results from more Discord servers?
Add your server
More Posts
Mails not being sent (Mailgun and Sendgrid tested => both haven't even got an API request)Hey, I have setup my main.wasp with my email I have registered and set the APIKey - for password resuiWhich ui component library works well with waspRunning the backend as a regular node.js app?Hi, I'm wondering if it's possible to run the backend as a regular node.js application like 'npm staWhere to startIm a UI designer dabbling in trying to create my first app w/ GitHub code pilot as I’m not a developrunning wasp inside google idx errorI am trying to setup the dev environment test out opensaas with google online ide idx, but when I trApp crashed for unknowing reasonHey, I start the app when it's still v-0.12.0, it works fine till today, nothing changed on my end btrying to run wasp.sh server on dockerHey guys, so I tried dockerising wasp-sh after I saw it on your recent reddit post. 1. I created aConfused about [Client ]HMR[Wasp 0.13.0, MacOs] Hey guys, I am trying to update wasp header/nav bar to a new style with framerIssue with deploying my wasp app to fly.ioI'm trying to deploy my wasp app to fly.io, but I'm encountering an error that doesn't make sense. Whas anyone got shadcn to work with wasp? I am trying but keep getting an errorAttached is the error I am currently getting. Just wondering if anyone has had success with it?