-
Improvement
-
Resolution: Fixed
-
Minor
-
2.7.16, 2.9.8, 3.0.6, 3.1.2
-
MOODLE_27_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE
-
MOODLE_32_STABLE
-
MDL-55923-master -
This is a followup up of MDL-49026, where web-service tokens started being deleted on password reset (as a security measure, specially for mobile users).
There, it was detected that the behavior was sub-optimal for non-mobile services, because they would stop working without notice.
So this is to consider which could be be the best solution for those non-mobile services and implement it. Here there are various alternatives, not mutually exclusive, extracted from the comments in the original issue:
A) Only reset mobile services.
B) Notify on change password about the invalidated tokens/services.
C) Regenerate the token under some conditions.
D) Put tokens on hold instead of deleting them.
Also, related, it's needed to verify what happens with "user_private_keys", if they should also be invalidated, or no... and, of course, the tokens UI needs some love (MDL-53400, MDL-55003 ...) to be able to manage them better.
That's it, ciao