Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69958

Support /.well-known/password-change requests from password managers

    XMLWordPrintable

Details

    • New Feature
    • Status: Development in progress
    • Minor
    • Resolution: Unresolved
    • 3.11, 4.0
    • None
    • Administration
    • MOODLE_311_STABLE, MOODLE_400_STABLE
    • MDL-69958-well-known-password
    • Hide

      1) Create a user called 'admin'

      2) Set their password to a known compromised password:

      php admin/cli/reset_password.php -u=admin -p=admin --ignore-password-policy  

      3) Setup error page handling for apache / nginx.

      4) Visit a broken url and confirm you see the moodle themed error page, eg

       /not-a-page  

      5) Login to your moodle using the admin account, and save this password using the chrome password manager

      6) Confirm you can see the password here in the Chrome password manager:

       chrome://settings/passwords  

      7) Confirm you see in chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one.

      8) Find the entry for your moodle domain, click 'Change password' next to it

      9) Confirm you are taken directly to the change password page

      /login/change_password.php

      Show
      1) Create a user called 'admin' 2) Set their password to a known compromised password: php admin/cli/reset_password.php -u=admin -p=admin --ignore-password-policy 3) Setup error page handling for apache / nginx. 4) Visit a broken url and confirm you see the moodle themed error page, eg /not-a-page 5) Login to your moodle using the admin account, and save this password using the chrome password manager 6) Confirm you can see the password here in the Chrome password manager: chrome: //settings/passwords 7) Confirm you see in chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one. 8) Find the entry for your moodle domain, click 'Change password' next to it 9) Confirm you are taken directly to the change password page /login/change_password.php

    Description

      There is a growing number of things that get put into /.well-known/ some of which would be considered OS level things, like LetsEncrypt, and others which would be application level concerns. A simple example might be support for 

      /.well-known/change-password

      which specifically for moodle should redirect to: /login/change_password.php

      https://w3c.github.io/webappsec-change-password-url/

      So we need a generic way for moodle to intercept some but not all of these routes and let nginx or apache handle some, and a way for core and plugins to add arbitrary new url routes into .well-known to support any emerging new specs

       

       

      Attachments

        Issue Links

          Activity

            People

              brendanheywood Brendan Heywood
              brendanheywood Brendan Heywood
              Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: