Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55923

Improve the behavior of deleted tokens on password reset

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. As admin, enable "Mobile services": Plugins ► Web Services ► Mobile
      2. Create a new standard user account, using the mobile app connect with that user to the site.
      3. Now, access to Moodle web with the user account, go to your preferences -> change password
      4. Change your password, and ensure that the "Sign out of other devices.." option is set
      5. Go back to the Mobile app, try to browse (or do a Pull down to refresh PTR to avoid cache), you will be logged out (do not enter your credentials again yet)
      6. Go back to the web site, go again to change your password, you shouldn't see now the "sign up of other devices" option
      7. Access with the new password using the Mobile app
      8. Go back to the web site, change your password but unchecking the "Sign out of other devices.." option
      9. Go back to the app, you should be able to browse and do PTR normally in the app
      10. Now, as admin, browse the users and edit the profile of the standard user
      11. You should see the "sign out from other devices option", the option is "disabled", but if you enter a new passowd it will be get enabled (once you change the focus of the field)
      12. At the right of the "sign out .." option you will see the list of services of the user, the only one there should be the Moodle mobile web service
      13. Enter a new password for the user
      14. Go back to the app, try to browse or do a PTR to avoid cache, you should be logged out
      15. Access again using your new password in the mobile app

      TEST the global setting now:

      1. Now, as admin in the Moodle site, enable the security preference: passwordchangetokendeletion
      2. Access now to the Moodle site as the user, go to change your password, you shouldn't see the "sign out of other devices" checkbox
      3. Enter a new password
      4. Go back to the mobile app, try to browse, you should be logged out.
      Show
      As admin, enable "Mobile services": Plugins ► Web Services ► Mobile Create a new standard user account, using the mobile app connect with that user to the site. Now, access to Moodle web with the user account, go to your preferences -> change password Change your password, and ensure that the "Sign out of other devices.." option is set Go back to the Mobile app, try to browse (or do a Pull down to refresh PTR to avoid cache), you will be logged out (do not enter your credentials again yet) Go back to the web site, go again to change your password, you shouldn't see now the "sign up of other devices" option Access with the new password using the Mobile app Go back to the web site, change your password but unchecking the "Sign out of other devices.." option Go back to the app, you should be able to browse and do PTR normally in the app Now, as admin, browse the users and edit the profile of the standard user You should see the "sign out from other devices option", the option is "disabled", but if you enter a new passowd it will be get enabled (once you change the focus of the field) At the right of the "sign out .." option you will see the list of services of the user, the only one there should be the Moodle mobile web service Enter a new password for the user Go back to the app, try to browse or do a PTR to avoid cache, you should be logged out Access again using your new password in the mobile app TEST the global setting now: Now, as admin in the Moodle site, enable the security preference: passwordchangetokendeletion Access now to the Moodle site as the user, go to change your password, you shouldn't see the "sign out of other devices" checkbox Enter a new password Go back to the mobile app, try to browse, you should be logged out.
    • Affected Branches:
      MOODLE_27_STABLE, MOODLE_29_STABLE, MOODLE_30_STABLE, MOODLE_31_STABLE
    • Fixed Branches:
      MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-55923-master

      Description

      This is a followup up of MDL-49026, where web-service tokens started being deleted on password reset (as a security measure, specially for mobile users).

      There, it was detected that the behavior was sub-optimal for non-mobile services, because they would stop working without notice.

      So this is to consider which could be be the best solution for those non-mobile services and implement it. Here there are various alternatives, not mutually exclusive, extracted from the comments in the original issue:

      A) Only reset mobile services.
      B) Notify on change password about the invalidated tokens/services.
      C) Regenerate the token under some conditions.
      D) Put tokens on hold instead of deleting them.

      Also, related, it's needed to verify what happens with "user_private_keys", if they should also be invalidated, or no... and, of course, the tokens UI needs some love (MDL-53400, MDL-55003 ...) to be able to manage them better.

      That's it, ciao

        Attachments

        1. bad_password_field.png
          41 kB
          Jake Dallimore
        2. screenshot-1.png
          77 kB
          Juan Leyva
        3. screenshot-2.png
          42 kB
          Juan Leyva
        4. screenshot-3.png
          40 kB
          Juan Leyva

          Issue Links

            Activity

              People

              Assignee:
              jleyva Juan Leyva
              Reporter:
              stronk7 Eloy Lafuente (stronk7)
              Peer reviewer:
              Dani Palou
              Integrator:
              David Monllaó
              Tester:
              Jake Dallimore
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                5/Dec/16