strongloop / loopback

90%

master: 90%

LAST BUILD ON BRANCH feature/set-password-with-token

branch: feature/set-password-with-token

CHANGE BRANCH

x

Reset

• feature/set-password-with-token
• 2.x
• 2.x-backport
• 2.x-eol
• 2.x-latest
• 3.x-latest
• 3.x/update-dependencies
• acl-apidoc-fix
• add-codeowner
• add-node-10
• add-validate-updateAll
• backport/babel-es6-to-es5
• backport/do-not-allow-duplicate-role-names
• bajtos-patch-1
• catch-err
• change-status
• chore/add-node-12
• chore/improve-issue-templates
• chore/update-juggler
• copyright
• copyrights
• create-issue-pr-templates
• declarative-nest-remoting
• disable-context-tests
• drop-node-4x
• drop/node-0x
• empty-password-lb3
• empty_password
• eol
• feat/maintenance-lts
• feature/access-scopes
• feature/access-token-scopes
• feature/change-password-api
• feature/detectUserConfig
• feature/enable-email-verification-replay
• feature/object-storage
• feature/refactor-access-token-id
• feature/remove-model
• fix-acl
• fix-comma-dangle
• fix-crash-when-replacing-unknown-user
• fix-create-id
• fix-dep
• fix-lint
• fix-npm-audit
• fix-translation
• fix/build
• fix/build-2x
• fix/change-password-multiple-users
• fix/change-password-validation
• fix/ci
• fix/crash-in-verifyUserRelations
• fix/dangling-promise-in-test
• fix/debug-statements
• fix/diff-remoting
• fix/eslint-issues
• fix/get-access-context-user
• fix/multi-user-reset-password
• fix/options-in-token-invalidations
• fix/options-in-token-invalidations-master
• fix/principal-type-polymorphic-user
• fix/role-acl-with-multiple-users
• fix/setRemote-updateAll
• fix/travis-config
• fix/unauthorized-current-user-literal-2x
• fix/windows-ci
• fixFilterDef
• fix_type
• ignore-failing-downstream-builds
• improve/github-templates
• juggler-version
• license
• lts
• maintenance/passing-context-options-in-user.verify
• master
• nestRemoting/prevent-endless-relation-recursion
• npm-test
• persisted-model/fix-updateonly-props-check
• production
• remove/lehni
• revert-3541-add-validate-updateAll
• set-default-remote-options
• speed-up-acl-tests
• string-username-email
• test-branch
• test-ci
• test-readme
• translate
• travis
• update-dependencies
• update-dev-deps
• update-eslint-config
• update-juggler
• update-juggler-2
• update-karma-nyc
• update-lts
• update-msg
• update-strong-error-handler
• update-strong-globalize
• update/travis-platforms
• updateonly_feature
• upgrade-nodemailer
• v2.38.2
• v2.38.3
• v2.39.0
• v2.39.1
• v2.39.2
• v2.41.1
• v2.41.2
• v2.42.0
• v3.10.0
• v3.10.1
• v3.11.0
• v3.11.1
• v3.12.0
• v3.13.0
• v3.14.0
• v3.15.0
• v3.16.0
• v3.16.1
• v3.16.2
• v3.17.0
• v3.17.1
• v3.18.0
• v3.18.1
• v3.18.2
• v3.18.3
• v3.19.0
• v3.19.1
• v3.19.2
• v3.19.3
• v3.20.0
• v3.21.0
• v3.22.0
• v3.22.1
• v3.22.2
• v3.22.3
• v3.23.0
• v3.23.1
• v3.23.2
• v3.24.0
• v3.24.1
• v3.24.2
• v3.25.0
• v3.25.1
• v3.26.0
• v3.27.0
• v3.28.0
• v3.5.0
• v3.6.0
• v3.7.0
• v3.8.0
• v3.9.0
• welcome-lehni
• welcome-nitro404
• welcome-zbarbuto

Build # 5720

Build Type

push

travis-ci

Committed by bajtos

Commit Message

Implement more secure password flow

Improve the flow for setting/changing/resetting User password to make
it more secure.

 1. Modify `User.resetPassword` to create a token scoped to allow
    invocation of a single remote method: `User.setPassword`.

 2. Scope the method `User.setPassword` so that regular tokens created
    by `User.login` are not allowed to execute it.

For backwards compatibility, this new mode (flow) is enabled only
when User model setting `restrictResetPasswordTokenScope` is set to
`true`.

 3. Changing the password via `User.prototype.patchAttributes`
    (and similar DAO methods) is no longer allowed. Applications
    must call `User.changePassword` and ask the user to provide
    the current (old) password.

For backwards compatibility, this new mode (flow) is enabled only
when User model setting `rejectPasswordChangesViaPatchOrReplace` is set
to `true`.

Run Details

1753 of 2204 branches covered (79.54%)

33 of 33 new or added lines in 1 file covered. (100.0%)

3208 of 3579 relevant lines covered (89.63%)

6271.05 hits per line