strongloop / loopback

90%

master: 90%

LAST BUILD ON BRANCH fix/multi-user-reset-password

branch: fix/multi-user-reset-password

CHANGE BRANCH

x

Reset

• fix/multi-user-reset-password
• 2.x
• 2.x-backport
• 2.x-eol
• 2.x-latest
• 3.x-latest
• 3.x/update-dependencies
• acl-apidoc-fix
• add-codeowner
• add-node-10
• add-validate-updateAll
• backport/babel-es6-to-es5
• backport/do-not-allow-duplicate-role-names
• bajtos-patch-1
• catch-err
• change-status
• chore/add-node-12
• chore/improve-issue-templates
• chore/update-juggler
• copyright
• copyrights
• create-issue-pr-templates
• declarative-nest-remoting
• disable-context-tests
• drop-node-4x
• drop/node-0x
• empty-password-lb3
• empty_password
• eol
• feat/maintenance-lts
• feature/access-scopes
• feature/access-token-scopes
• feature/change-password-api
• feature/detectUserConfig
• feature/enable-email-verification-replay
• feature/object-storage
• feature/refactor-access-token-id
• feature/remove-model
• feature/set-password-with-token
• fix-acl
• fix-comma-dangle
• fix-crash-when-replacing-unknown-user
• fix-create-id
• fix-dep
• fix-lint
• fix-npm-audit
• fix-translation
• fix/build
• fix/build-2x
• fix/change-password-multiple-users
• fix/change-password-validation
• fix/ci
• fix/crash-in-verifyUserRelations
• fix/dangling-promise-in-test
• fix/debug-statements
• fix/diff-remoting
• fix/eslint-issues
• fix/get-access-context-user
• fix/options-in-token-invalidations
• fix/options-in-token-invalidations-master
• fix/principal-type-polymorphic-user
• fix/role-acl-with-multiple-users
• fix/setRemote-updateAll
• fix/travis-config
• fix/unauthorized-current-user-literal-2x
• fix/windows-ci
• fixFilterDef
• fix_type
• ignore-failing-downstream-builds
• improve/github-templates
• juggler-version
• license
• lts
• maintenance/passing-context-options-in-user.verify
• master
• nestRemoting/prevent-endless-relation-recursion
• npm-test
• persisted-model/fix-updateonly-props-check
• production
• remove/lehni
• revert-3541-add-validate-updateAll
• set-default-remote-options
• speed-up-acl-tests
• string-username-email
• test-branch
• test-ci
• test-readme
• translate
• travis
• update-dependencies
• update-dev-deps
• update-eslint-config
• update-juggler
• update-juggler-2
• update-karma-nyc
• update-lts
• update-msg
• update-strong-error-handler
• update-strong-globalize
• update/travis-platforms
• updateonly_feature
• upgrade-nodemailer
• v2.38.2
• v2.38.3
• v2.39.0
• v2.39.1
• v2.39.2
• v2.41.1
• v2.41.2
• v2.42.0
• v3.10.0
• v3.10.1
• v3.11.0
• v3.11.1
• v3.12.0
• v3.13.0
• v3.14.0
• v3.15.0
• v3.16.0
• v3.16.1
• v3.16.2
• v3.17.0
• v3.17.1
• v3.18.0
• v3.18.1
• v3.18.2
• v3.18.3
• v3.19.0
• v3.19.1
• v3.19.2
• v3.19.3
• v3.20.0
• v3.21.0
• v3.22.0
• v3.22.1
• v3.22.2
• v3.22.3
• v3.23.0
• v3.23.1
• v3.23.2
• v3.24.0
• v3.24.1
• v3.24.2
• v3.25.0
• v3.25.1
• v3.26.0
• v3.27.0
• v3.28.0
• v3.5.0
• v3.6.0
• v3.7.0
• v3.8.0
• v3.9.0
• welcome-lehni
• welcome-nitro404
• welcome-zbarbuto

Build # 6041

Build Type

push

travis-ci

Committed by bajtos

Commit Message

Fix "POST /reset-password" for multi-user setup

Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* A UserA with id 1 (for example), requires a resetToken1

* A UserB with the same id requires a resetToken2.

* Using resetToken2, use the UserAs/reset-password endpoint and change
  the password of UserA and/or vice-versa.

Run Details

1820 of 2275 branches covered (80.0%)

8 of 8 new or added lines in 1 file covered. (100.0%)

3303 of 3669 relevant lines covered (90.02%)

9435.38 hits per line