strongloop / loopback

90%

master: 90%

LAST BUILD ON BRANCH fix/change-password-multiple-users

branch: fix/change-password-multiple-users

CHANGE BRANCH

x

Reset

• fix/change-password-multiple-users
• fix/diff-remoting
• feature/detectUserConfig
• 2.x
• fix/travis-config
• master
• v3.5.0
• 2.x-latest
• v2.38.2
• feature/change-password-api
• fix/options-in-token-invalidations
• fix/change-password-validation
• feature/enable-email-verification-replay
• fix/options-in-token-invalidations-master
• feature/access-token-scopes
• v3.6.0
• fix/unauthorized-current-user-literal-2x
• feature/access-scopes
• maintenance/passing-context-options-in-user.verify
• update-dependencies
• 3.x/update-dependencies
• feature/set-password-with-token
• update-msg
• test-branch
• test-readme
• v2.38.3
• v3.7.0
• feature/refactor-access-token-id
• v3.8.0
• fix/debug-statements
• fix_type
• feature/object-storage
• empty_password
• v3.9.0
• add-codeowner
• empty-password-lb3
• translate
• juggler-version
• add-validate-updateAll
• update/travis-platforms
• revert-3541-add-validate-updateAll
• acl-apidoc-fix
• v3.10.0
• create-issue-pr-templates
• v3.10.1
• catch-err
• updateonly_feature
• v3.11.0
• persisted-model/fix-updateonly-props-check
• v3.11.1
• welcome-lehni
• welcome-zbarbuto
• v3.12.0
• v3.13.0
• declarative-nest-remoting
• v3.14.0
• 3.x-latest
• fix/build
• update-strong-globalize
• v3.15.0
• test-ci
• fix/build-2x
• remove/lehni
• drop/node-0x
• v2.39.0
• fix/multi-user-reset-password
• v3.16.0
• fix-create-id
• v3.16.1
• v3.16.2
• license
• v3.17.0
• update-eslint-config
• v3.17.1
• fix/setRemote-updateAll
• v3.18.0
• update-juggler
• update-juggler-2
• v3.18.1
• v2.39.1
• fix/dangling-promise-in-test
• nestRemoting/prevent-endless-relation-recursion
• v3.18.2
• backport/babel-es6-to-es5
• v2.39.2
• welcome-nitro404
• fix/eslint-issues
• fix/role-acl-with-multiple-users
• v3.18.3
• fix/get-access-context-user
• feature/remove-model
• v3.19.0
• fix/principal-type-polymorphic-user
• v3.19.1
• v3.19.2
• add-node-10
• v3.19.3
• backport/do-not-allow-duplicate-role-names
• drop-node-4x
• v3.20.0
• update-strong-error-handler
• fix/crash-in-verifyUserRelations
• v3.21.0
• fix-lint
• fix-acl
• v3.22.0
• fix-translation
• v3.22.1
• v3.22.2
• fix-dep
• npm-test
• v3.22.3
• change-status
• v3.23.0
• disable-context-tests
• update-lts
• v3.23.1
• speed-up-acl-tests
• v3.23.2
• set-default-remote-options
• v3.24.0
• fix/windows-ci
• v2.41.1
• v3.24.1
• v3.24.2
• fix-crash-when-replacing-unknown-user
• v2.41.2
• v3.25.0
• fixFilterDef
• v3.25.1
• lts
• copyright
• chore/add-node-12
• 2.x-eol
• eol
• copyrights
• update-karma-nyc
• ignore-failing-downstream-builds
• production
• string-username-email
• v3.26.0
• 2.x-backport
• v2.42.0
• fix-npm-audit
• fix/ci
• improve/github-templates
• update-dev-deps
• fix-comma-dangle
• chore/improve-issue-templates
• chore/update-juggler
• feat/maintenance-lts
• v3.27.0
• bajtos-patch-1
• travis
• upgrade-nodemailer
• v3.28.0

Build # 6056

Build Type

push

travis-ci

Committed by bajtos

Commit Message

Fix "POST /change-password" for multi-user setup

Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* We have two user models, e.g. Admin and Customer

* We have an Admin instance and a Customer instance with the same
  id and the same password.

* The Customer can change Admin's password using their
  regular access token.

Run Details

1818 of 2273 branches covered (79.98%)

3302 of 3668 relevant lines covered (90.02%)

9484.98 hits per line