https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962
--- Comment #16 from Tomás Cohen Arazi <[email protected]> --- (In reply to David Cook from comment #12) > (In reply to Jonathan Druart from comment #11) > > 1. Missing tests (you must provide tons of tests to cover the different > > situations) > > Are all the existing API tests in "t/db_dependent/api/v1/"? Not sure what you mean here, but we try to enforce 100% code coverage on the tests. > > 2. Route's name should not be a verb (/password/validation maybe?) > > I did struggle to come up with a noun for this one so I take the point. I'd go with 'validation'. > > 4. It's always returning "Invalid password" even for other failures (like > > too many attempts) > > I suppose a generic error like "Authentication failed" or "Validation > failed" would be better. If you think generic is fine, go for it. If you think there are use cases in which the caller could take advantage on the information, please catch those exceptions and return something meaningful. > > 5. It allows you to check for pwd validation for a user you don't know their > > userid (you can force brute only by knowing the patron's id). I don't think > > it's a security concern as userid could be guessed anyway (?) > > 6. following 5, you can lock any accounts if FailedLoginAttempts is set, no > > need to know the userid list. How bad is that? Maybe not the right bug to talk about how to prevent brute force attacks, as you said: this is not a public route. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
