[
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16734372#comment-16734372
]
Gil Portenseigne commented on OFBIZ-4361:
-----------------------------------------
h2. *Idea using JWT :*
To remain simple with password update without adding much code into the
codebase, we would like to propose a new idea as a first simple step.
Improve the {{service engine}} to allow the usage of {{JWT token}} to *execute
a given service as an authenticated user*.
The JWT token is generated by OFBiz with its secret and contains into the data
payload the allowed {{serviceName}} and the {{userLoginId}}.
h2. Given the following usecase :
A user ask for a new password giving his userlogin id.
A mail is sent with a link containing the JWT toke with the {{serviceName}}
*updatePassword* and the {{userLoginId}} into the data payload and a target to
an OFBiz _no auth required_ web page described below
The user access through the link to the webpage that present a form containing :
* the JWT in its hidden parameters
* a field asking the new password
* a submit button.
The validation of this form will call the *updatePassword* service.
Since the user is _not authenticated_, the {{service engine}} will look into
parameters if token exists and will validate it. Else authentication is
required...
If a serviceName exists in the data and equals to the called one, other data
from the JWT payload are added to the IN service call attributes.
That will simply allow a basic updatePassword process in trunk, that can be
extended easily customizing url target and serviceName for adding verification
and so on.
This idea is a first attempt, and should be discussed in regards to the other
suggestions.
> Any ecommerce user has the ability to reset anothers password (including
> admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL: https://issues.apache.org/jira/browse/OFBIZ-4361
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Release Branch 11.04, Release Branch 13.07, Release
> Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release
> Branch 17.12
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Jacques Le Roux
> Priority: Major
> Labels: security
> Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch,
> OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch,
> OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to
> reset another users password, including "admin" without permission. By
> simply entering "admin" and clicking "Email Password", the following is
> displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also
> possible to generate a dictionary attack against ofbiz because there is no
> capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name
> is optionally in the format of an email address, and maybe require a capta
> code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was
> generated via an ecommerce transaction.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
