strongloop / loopback / 5665 / 3

90%

master: 90%

push

travis-ci

Implement more secure password flow

Improve the flow for setting/changing/resetting User password to make
it more secure.

 1. Modify `User.resetPassword` to create a token scoped to allow
    invocation of a single remote method: `User.setPassword`.

 2. Scope the method `User.setPassword` so that regular tokens created
    by `User.login` are not allowed to execute it.

 3. Changing the password via `User.prototype.patchAttributes`
    (and similar DAO methods) is no longer allowed. Applications
    must call `User.changePassword` and ask the user to provide
    the current (old) password.

For backwards compatibility, this new mode (flow) is enabled only
when User model setting `legacyPasswordFlow` is set to `false`.

1747 of 2198 branches covered (79.48%)

3192 of 3565 relevant lines covered (89.54%)

2076.01 hits per line