Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55923

Improve the behavior of deleted tokens on password reset

XMLWordPrintable

    • MOODLE_27_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE
    • MOODLE_32_STABLE
    • MDL-55923-master
    • Hide
      1. As admin, enable "Mobile services": Plugins ► Web Services ► Mobile
      2. Create a new standard user account, using the mobile app connect with that user to the site.
      3. Now, access to Moodle web with the user account, go to your preferences -> change password
      4. Change your password, and ensure that the "Sign out of other devices.." option is set
      5. Go back to the Mobile app, try to browse (or do a Pull down to refresh PTR to avoid cache), you will be logged out (do not enter your credentials again yet)
      6. Go back to the web site, go again to change your password, you shouldn't see now the "sign up of other devices" option
      7. Access with the new password using the Mobile app
      8. Go back to the web site, change your password but unchecking the "Sign out of other devices.." option
      9. Go back to the app, you should be able to browse and do PTR normally in the app
      10. Now, as admin, browse the users and edit the profile of the standard user
      11. You should see the "sign out from other devices option", the option is "disabled", but if you enter a new passowd it will be get enabled (once you change the focus of the field)
      12. At the right of the "sign out .." option you will see the list of services of the user, the only one there should be the Moodle mobile web service
      13. Enter a new password for the user
      14. Go back to the app, try to browse or do a PTR to avoid cache, you should be logged out
      15. Access again using your new password in the mobile app

      TEST the global setting now:

      1. Now, as admin in the Moodle site, enable the security preference: passwordchangetokendeletion
      2. Access now to the Moodle site as the user, go to change your password, you shouldn't see the "sign out of other devices" checkbox
      3. Enter a new password
      4. Go back to the mobile app, try to browse, you should be logged out.
      Show
      As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a new standard user account, using the mobile app connect with that user to the site. Now, access to Moodle web with the user account, go to your preferences -> change password Change your password, and ensure that the "Sign out of other devices.." option is set Go back to the Mobile app, try to browse (or do a Pull down to refresh PTR to avoid cache), you will be logged out (do not enter your credentials again yet) Go back to the web site, go again to change your password, you shouldn't see now the "sign up of other devices" option Access with the new password using the Mobile app Go back to the web site, change your password but unchecking the "Sign out of other devices.." option Go back to the app, you should be able to browse and do PTR normally in the app Now, as admin, browse the users and edit the profile of the standard user You should see the "sign out from other devices option", the option is "disabled", but if you enter a new passowd it will be get enabled (once you change the focus of the field) At the right of the "sign out .." option you will see the list of services of the user, the only one there should be the Moodle mobile web service Enter a new password for the user Go back to the app, try to browse or do a PTR to avoid cache, you should be logged out Access again using your new password in the mobile app TEST the global setting now: Now, as admin in the Moodle site, enable the security preference: passwordchangetokendeletion Access now to the Moodle site as the user, go to change your password, you shouldn't see the "sign out of other devices" checkbox Enter a new password Go back to the mobile app, try to browse, you should be logged out.

      This is a followup up of MDL-49026, where web-service tokens started being deleted on password reset (as a security measure, specially for mobile users).

      There, it was detected that the behavior was sub-optimal for non-mobile services, because they would stop working without notice.

      So this is to consider which could be be the best solution for those non-mobile services and implement it. Here there are various alternatives, not mutually exclusive, extracted from the comments in the original issue:

      A) Only reset mobile services.
      B) Notify on change password about the invalidated tokens/services.
      C) Regenerate the token under some conditions.
      D) Put tokens on hold instead of deleting them.

      Also, related, it's needed to verify what happens with "user_private_keys", if they should also be invalidated, or no... and, of course, the tokens UI needs some love (MDL-53400, MDL-55003 ...) to be able to manage them better.

      That's it, ciao

        1. bad_password_field.png
          bad_password_field.png
          41 kB
        2. screenshot-1.png
          screenshot-1.png
          77 kB
        3. screenshot-2.png
          screenshot-2.png
          42 kB
        4. screenshot-3.png
          screenshot-3.png
          40 kB

            jleyva Juan Leyva
            stronk7 Eloy Lafuente (stronk7)
            Dani Palou Dani Palou
            David Monllaó David Monllaó
            Jake Dallimore Jake Dallimore
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.