[aerogear-dev] Password reset

Apostolos Emmanouilidis aemmanou at redhat.com
Thu Dec 5 07:42:23 EST 2013 

sounds good to me

Just wanted to add that the /rest/forgot endpoint response must return
the same answer regardless of whether the given e-mail is successfully
validated against the database or not. The client should not be able to
find out if an e-mail address exists in our DB.

On Thu, 2013-12-05 at 09:43 -0200, Bruno Oliveira wrote:

> Good morning slackland, here comes the basic idea about password reset: https://github.com/abstractj/password-reset
> 
> Some considerations to keep in mind: 
> 
> 1. E-mail in an insecure channel, for this reason we won’t build any functionality to “remember” the password, only reset.   
> 2. It must be provided over SSL 
> 3. We are not NSA proof, so this is just a prototype to validate ideas. 
> 
> 
> Details about the prototype: 
> 
> 1. The place to store the Token is totally up to the implementer: keystore, PicketLink or whatever database 
> 2. The url to reset the password is built with PBKDF2 + authenticated one-way hash function (HMAC), which means there’s no way you can pull the url id back out. Into this way we are avoiding 2 issues: rainbow table attacks and tampering, into other words an attacker will have a hard time to brute force it, as well trying to corrupt the message.  
> 3. This example doesn’t not validate e-mail address or have a login. 
> 
> - Token table 
> 
> - id: the hashed message generated and encoded in Base64 (Is possible to be an hexadecimal) 
> - sentAt: the date and time when the token was sent to someone else 
> - expiration: token expiration. Default’s to 1 hour. 
> - used: if the token was used or not. I implemented it into this way, but being paranoid I would suggest to just delete that record, if the token was used. 
> 
> - ExpirationTime class: just a class to deal with time and check if the Token has expired. 
> 
> - TokenService class: just a class to manipulate the tokens into the database 
> 
> - Endpoint workflow: 
> 
> - /rest/forgot 
> 
> 1. User input the e-mail 
> 2. E-mail is validated against the database 
> 3. An URL to reset the password is sent 
> 
> Ex: curl -v -H "Accept: application/json" -H "Content-type: application/json" -d '{"email”:”john at doe.com"}' -X POST http://localhost:8080/password-reset/rest/forgot 
> 
> - /rest/reset 
> 
> 1. User sends an HTTP request with the token id 
> 2. The id is validated against the database 
> 3. User is redirected to the reset password page 
> 4. The new password is configured 
> 5. token id is destroyed into the database or disabled 
> 
> Ex: curl -v -H "Accept: application/json" -H "Content-type: application/json" -X POST http://localhost:8080/password-reset/rest/reset\?id\=sQrYVLJvwQptgYAg46t%2B%2BfoLrWxaPmkMY6mmvCs%2F51M%3D 
> 
> 
> -- 
> abstractj
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131205/abd93174/attachment-0001.html

More information about the aerogear-dev mailing list