GitHub user mike-jumper opened a pull request:
https://github.com/apache/incubator-guacamole-client/pull/92
GUACAMOLE-136: Handle expired password reset within getUserContext()
The JDBC auth handles resetting of expired passwords within
`authenticateUser()`, which doesn't play nicely with secondary authentication
factors. The process ends up being:
1. User logs in
2. User is prompted to reset their password
3. User is verified with secondary authentication factors
Which is bad. Presumably the user's identity should be verified *before*
allowing them to change their password. By moving the reset process to
`getUserContext()`, the ordering of the process is fixed:
1. User logs in
2. User is verified with secondary authentication factors
3. User is prompted to reset their password
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/mike-jumper/incubator-guacamole-client
jdbc-mfa-compat
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-guacamole-client/pull/92.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #92
----
commit 4a1ffbfdccd0d42e44a164bdbd89176fe1a098ef
Author: Michael Jumper <[email protected]>
Date: 2016-12-03T21:39:42Z
GUACAMOLE-136: Move password reset flow into own function. Invoke from
getUserContext(), not authenticateUser(), such that secondary authentication
factors have a chance to invalidate the auth attempt prior to password reset.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
