https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962
--- Comment #22 from David Cook <[email protected]> --- (In reply to Jonathan Druart from comment #11) > 1. Missing tests (you must provide tons of tests to cover the different > situations) > 2. Route's name should not be a verb (/password/validation maybe?) > 3. Routes that returns empty should return 204 > 4. It's always returning "Invalid password" even for other failures (like > too many attempts) > 5. It allows you to check for pwd validation for a user you don't know their > userid (you can force brute only by knowing the patron's id). I don't think > it's a security concern as userid could be guessed anyway (?) > 6. following 5, you can lock any accounts if FailedLoginAttempts is set, no > need to know the userid list. How bad is that? I think that I've addressed all these points now :) -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
