Password reset 0.1.0
by Bruno Oliveira
Good morning my friends, I think I finally found a happy path to the password reset workflow. To eat my own dog food, I wrote the whole interaction with AGJS (thanks a lot Luke for your patience).
Details about the project:
url: https://github.com/abstractj/password-reset/
tag: 0.1.0
Dependencies: The following PR must be locally installed https://github.com/aerogear/aerogear-crypto-java/pull/14
The package “api” is what I would suggest to move to another project like ag-security for example and the other packages are mostly up to the implementer.
Configuration files:
- The project has 2 configuration files
web.xml:
<init-param>
<param-name>url</param-name>
<param-value>http://localhost:8080/password-reset/</param-value>
</init-param>
<init-param>
<param-name>redirect-page</param-name>
<param-value>/reset/update.html</param-value>
</init-param>
The “url” parameter is used by the project to provide the urls like: http://localhost:8080/password-reset/reset?id=CMZXGXLg%2Fw7nCBrlmEB%2BO6iDMHzxNSf8cD5idyDxS8U%3D and “redirect-page” is the page to be redirected when the correct token id is provided.
config.properties:
secret_key = "d9eb5171c59a4c817f68b0de27b8c1e340c2341b52cdbc60d3083d4e8958532" \
“18dcc5f589cafde048faec956b61f864b9b5513ff9ce29bf9e5d58b0f234f8e3b"
“secret_key” will be the passphrase used by PBKDF2 to HMAC a new token and can’t be shared.
How to test it?
- git clone https://github.com/abstractj/password-reset/ && cd password-reset && mvn clean package
Scenarios for testing:
- Workflow I
1. Open http://localhost:8080/password-reset/ at your browser
2. Input whatever e-mail and click on reset
3. At your console an URL will be printed at your logs. For example: http://localhost:8080/password-reset/reset?id=CMZXGXLg%2Fw7nCBrlmEB%2BO6i...
4. Copy & paste it into your browser
5. If everything went well, you will probably see the update page. Input the e-mail, new password and the confirmation
6. Now try to send a request to the same URL and you will get a 404 (This is intentional, because the token was used & destroyed)
- Workflow II
1. Try to request the update.html page
2. You should get a 404 because you’re not allowed to do it without a valid token
- Workflow III
1. Try to request http://localhost:8080/password-reset/reset/?id=“Some random or repeated id here”
2. You should get a 404 because you’re not allowed to do it without a valid token
- Workflow IV
1. Change the value of https://github.com/abstractj/password-reset/blob/master/src/main/java/... to -10 for example.
2. Input whatever e-mail and click on reset
3. At your console an URL will be printed at your logs. For example: http://localhost:8080/password-reset/reset?id=CMZXGXLg%2Fw7nCBrlmEB%2BO6i...
4. Copy & paste it into your browser
5. You should get a 404 because this token has already expired.
Open questions
- The usability is easy, tricky..the configuration files are too much?
- Where the package “api” should be added? ag-security? nowhere?
- Is the workflow ok for you?
Thoughts, suggestions?
--
abstractj
12 years
how about this API for sync?
by Erik Jan de Wit
Just to get some discussions going and have something to talk about I’ve drafted some API, so what do you think?
// [option 1 fully automatic we create a pipe and add the posibilty to add a store for failover and sync just happens at on- and offline events]
// and because merging can fail users can add a conflict handlers
Builder builder = Builder.createPipe(pipeConfig).addFailoverStore(storeConfig);
Pipe<Car> pipe = builder.pipe(Car.class);
pipe.addConfictHandler(new ConflictHandler() {
public void conflict(Field originalField, Field newField) {
// user interaction
}
});
// [option 2 explicit let the user specify when to sync and what to sync]
SyncedPipe pipe = SyncPipeBuilder.build(options); // SyncPipe Store and Pipe togheter
// or we only use a store to sync and tell the sync manager where to sync to
SyncManager syncManager = new SyncManger();
syncManger.filter(readFilter); // maybe we don't want to sync all data but just some part
syncManager.addConnectionHandler(new ConnectionHandler() {
public void onConnection() {
syncManger.sync(pipe);
}
});
syncManger.addConfictHandler(new ConflictHandler() {
public void conflict(Field original, Field new) {
// user interaction
}
});
Cheers,
Erik Jan
12 years
AG JS 1.3.1
by Lucas Holmquist
Hot on the heels of 1.3.0, i am hoping to release 1.3.1 next week.
Here is a list of the JIRA's associated with it
https://issues.jboss.org/issues/?jql=project%20%3D%20AGJS%20AND%20fixVers...
There was some bug fixes and test/documentation updates, but there were 2 big option added in DataManager:
1. Auto Connect
Since IndexedDB and WebSQL needed to both be "opened" before doing a read/save/remove/filter , i've added an option " auto" to the creation of a store. It will default to false, so it will not break any existing stuff. if set to true, then you can do the a read, for example and not have to worry about calling open.
2. Opt-Out of Fallback and "preferred"
this new option, 'fallback' will default to true, so data manager will fallback to a support adapter by default, but if you want to make sure an error is thrown if an adapter is not supported then you can set fallback=false.
there is also a new "preferred" option. By default when fallback is enabled, this is the order the adapters are tried [ "IndexedDB", "WebSQL", "SessionLocal", "Memory" ]
now a user can specify a list of adapters they want to try, so they can do [ "Memory" ] if they only want to fallback to the memory adapter if lets say IndexedDB isn't available
So give it a try
12 years
More Sync
by Summers Pittman
So as I mentioned in the meeting I am dog fooding some sync ideas on
Android in the form of a DevNexus app.
Here are the two main interfaces that have precipitated out so far:
https://gist.github.com/secondsun/df6724e89d7ae06cbb64
*Warning Android Gory Details begin here*
I am working towards a PeriodicSyncAdapter that I mentioned in a
previous email. Android has this type of functionality built in but it
is VERY VERY heavy on boilerplate, XML, and complexity. I want to build
something which is lighter.
My current idea is to create a BroadcastReceiver which users can
register. The SynchronicationConfigs (no code to share but they are
just Key/Value Pojo's) will be instantiated into Synchronizers using a
Sychcronize factory class (think Pipeline). The Sychcronize factory
will tell the BroadcastReceiver about the Synchronizers, but the
Sychronizers will be what does the data loading, saving, scheduleing, etc.
The Synchronizer and BroadcastReceiver are separate classes. The
BroadcastReceiver will be setup in the AndroidManifest.xml file and the
Synchronizer will be managed by user code. The reason they
BroadcastReceiver isn't managed by user code is because Android won't
wake up code which isn't in the AndroidManifest. IE if a sync event
happens while the app is not running then the sync will not happen.
Summers
12 years
TODO app abandon - continues....
by Bruno Oliveira
Good morning peeps, regarding this thread http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-TODO-app-ab.... Somehow we agreed in the past to no longer support this app http://transcripts.jboss.org/channel/irc.freenode.org/%23aerogear/201....
I’ve been chatting with Christos about my concern around this app:
- This app still make use of ag-controller and outdated versions of ag security
- Maintain it is very time consuming
- We need to monitor OpenShift because after a period of inactivity the app will be disabled
That said I vote for just drop or no longer maintain this app and update our integration tests. But before move forward with it, I would like to hear the concerns from the team about it.
If I don’t hear anything, the application will be dropped from OpenShift. If the team agree on maintain it, we need a call for arms to do it.
--
abstractj
JBoss, a division of Red Hat
12 years
status
by Erik Jan de Wit
Blockers:
None
Last Week:
Created video of Cordova plugin with Push https://www.youtube.com/watch?v=ypJBOJrD7y4
Tested jboss tools
Angular 2 way binding Android POC
Learned grunt
Hackergarten
Sync API proposal
This Week:
Prepare presentation and keynote GWTCreate
Integrate binding POC with AGPad demo
12 years
Password reset
by Bruno Oliveira
Good morning slackland, here comes the basic idea about password reset:
Some considerations to keep in mind:
1. E-mail in an insecure channel, for this reason we won’t build any functionality to “remember” the password, only reset.
2. It must be provided over SSL
3. We are not NSA proof, so this is just a prototype to validate ideas.
Details about the prototype:
1. The place to store the Token is totally up to the implementer: keystore, PicketLink or whatever database
2. The url to reset the password is built with PBKDF2 + authenticated one-way hash function (HMAC), which means there’s no way you can pull the url id back out. Into this way we are avoiding 2 issues: rainbow table attacks and tampering, into other words an attacker will have a hard time to brute force it, as well trying to corrupt the message.
3. This example doesn’t not validate e-mail address or have a login.
- Token table
- id: the hashed message generated and encoded in Base64 (Is possible to be an hexadecimal)
- sentAt: the date and time when the token was sent to someone else
- expiration: token expiration. Default’s to 1 hour.
- used: if the token was used or not. I implemented it into this way, but being paranoid I would suggest to just delete that record, if the token was used.
- ExpirationTime class: just a class to deal with time and check if the Token has expired.
- TokenService class: just a class to manipulate the tokens into the database
- Endpoint workflow:
- /rest/forgot
1. User input the e-mail
2. E-mail is validated against the database
3. An URL to reset the password is sent
Ex: curl -v -H "Accept: application/json" -H "Content-type: application/json" -d '{"email”:”john@doe.com"}' -X POST http://localhost:8080/password-reset/rest/forgot
- /rest/reset
1. User sends an HTTP request with the token id
2. The id is validated against the database
3. User is redirected to the reset password page
4. The new password is configured
5. token id is destroyed into the database or disabled
Ex: curl -v -H "Accept: application/json" -H "Content-type: application/json" -X POST http://localhost:8080/password-reset/rest/reset\?id\=sQrYVLJvwQptgYAg46t%...
Let me know what do you think and I can move forward implementing it.
Note: To build the project please make use of this PR https://github.com/aerogear/aerogear-crypto-java/pull/13. A bug was found on ag-crypto-java.
--
abstractj
12 years
