Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69958

Support /.well-known/password-change requests from password managers

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Development in progress
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.11, 4.0
    • Fix Version/s: None
    • Component/s: Administration
    • Affected Branches:
      MOODLE_311_STABLE, MOODLE_400_STABLE
    • Pull Master Branch:
      MDL-69958-well-known-password
    • Testing Instructions:
      Hide

      1) Create a user called 'admin'

      2) Set their password to a known compromised password:

      php admin/cli/reset_password.php -u=admin -p=admin --ignore-password-policy  

      3) Setup error page handling for apache / nginx.

      4) Visit a broken url and confirm you see the moodle themed error page, eg

       /not-a-page  

      5) Login to your moodle using the admin account, and save this password using the chrome password manager

      6) Confirm you can see the password here in the Chrome password manager:

       chrome://settings/passwords  

      7) Confirm you see in chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one.

      8) Find the entry for your moodle domain, click 'Change password' next to it

      9) Confirm you are taken directly to the change password page

      /login/change_password.php

      Show
      1) Create a user called 'admin' 2) Set their password to a known compromised password: php admin/cli/reset_password.php -u=admin -p=admin --ignore-password-policy 3) Setup error page handling for apache / nginx. 4) Visit a broken url and confirm you see the moodle themed error page, eg /not-a-page 5) Login to your moodle using the admin account, and save this password using the chrome password manager 6) Confirm you can see the password here in the Chrome password manager: chrome: //settings/passwords 7) Confirm you see in chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one. 8) Find the entry for your moodle domain, click 'Change password' next to it 9) Confirm you are taken directly to the change password page /login/change_password.php

      Description

      There is a growing number of things that get put into /.well-known/ some of which would be considered OS level things, like LetsEncrypt, and others which would be application level concerns. A simple example might be support for 

      /.well-known/change-password

      which specifically for moodle should redirect to: /login/change_password.php

      https://w3c.github.io/webappsec-change-password-url/

      So we need a generic way for moodle to intercept some but not all of these routes and let nginx or apache handle some, and a way for core and plugins to add arbitrary new url routes into .well-known to support any emerging new specs

       

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              brendanheywood Brendan Heywood
              Reporter:
              brendanheywood Brendan Heywood
              Participants:
              Component watchers:
              Andrew Lyons, Dongsheng Cai, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: