[MDL-69958] Support /.well-known/password-change requests from password managers - Moodle Tracker

XML

Word

Printable

Details

Type: New Feature
Status: Development in progress
Priority: Minor
Resolution: Unresolved
Affects Version/s: 3.11, 4.0
Fix Version/s: None
Component/s: Administration
Labels:
- CatalystIT
- partner

Affected Branches:
MOODLE_311_STABLE, MOODLE_400_STABLE
Pull from Repository:
https://github.com/brendanheywood/moodle
Pull Master Branch:
MDL-69958-well-known-password
Pull Master Diff URL:
https://github.com/moodle/moodle/compare/master...brendanheywood:MDL-69958-well-known-password
Testing Instructions:
Hide

1) Create a user called 'admin'

2) Set their password to a known compromised password:

php admin/cli/reset_password.php -u=admin -p=admin --ignore-password-policy

3) Setup error page handling for apache / nginx.

4) Visit a broken url and confirm you see the moodle themed error page, eg

/not-a-page

5) Login to your moodle using the admin account, and save this password using the chrome password manager

6) Confirm you can see the password here in the Chrome password manager:

chrome://settings/passwords

7) Confirm you see in chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one.

8) Find the entry for your moodle domain, click 'Change password' next to it

9) Confirm you are taken directly to the change password page

/login/change_password.php
Show
1) Create a user called 'admin' 2) Set their password to a known compromised password: php admin/cli/reset_password.php -u=admin -p=admin --ignore-password-policy 3) Setup error page handling for apache / nginx. 4) Visit a broken url and confirm you see the moodle themed error page, eg /not-a-page 5) Login to your moodle using the admin account, and save this password using the chrome password manager 6) Confirm you can see the password here in the Chrome password manager: chrome: //settings/passwords 7) Confirm you see in chrome 'N compromised passwords' and then click on the arrow. If you didn't see this click 'Check again' and confirm it rescanned your passwords and found the compromised one. 8) Find the entry for your moodle domain, click 'Change password' next to it 9) Confirm you are taken directly to the change password page /login/change_password.php

Description

There is a growing number of things that get put into /.well-known/ some of which would be considered OS level things, like LetsEncrypt, and others which would be application level concerns. A simple example might be support for

/.well-known/change-password

which specifically for moodle should redirect to: /login/change_password.php

https://w3c.github.io/webappsec-change-password-url/

So we need a generic way for moodle to intercept some but not all of these routes and let nginx or apache handle some, and a way for core and plugins to add arbitrary new url routes into .well-known to support any emerging new specs

Attachments

Issue Links

has been marked as being related by

MDL-69333 Reduce ability to fingerprint a server with a htaccess-dist / nginx file / docs

Closed

will be (partly) resolved by

MDL-56041 Cleanup custom 404 page and more easily support custom 50x error pages

Closed

will help resolve

MDL-69732 Manifest file /.well-known/badgeconnect.json is ignored by OBv2.1

Closed

Activity

People

Assignee:: Brendan Heywood

Reporter:: Brendan Heywood

Participants:: Brendan Heywood, CiBoT

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 1 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Oct/20 1:55 PM

Updated:: 21/Sep/21 5:16 PM