Taking advantage of the Platform PenTesting being done by that the Cyber team and a proposal for improvementteam is doing, and of an improvement proposal, a new mechanism has been implemented for the creation of users from the self-registration (singsign-up), as well as for the password recovery in case of forgetting, and communication of password modification for a user from the control - panel or from the management APIs, avoiding preventing the transmission of passwords via email.
...
The user registration form has been modified updated so that now it is not necessary to register the password. It , but instead it will be provided by the user after when validating his her email:
...
This does not register the user yet, but it generates an email to the provided email address provided, with a link to complete where the registration process will be completed.
...
The user will receive an email of like this styleone, indicating the url where he can finish the registration process , and a warning that in case of not finishing the process in can be completed, as well as a warning saying thatm if the process is not completed within a given time (configurable by installation), the link will disappear as well as the previous information provided, along with the previously-provided information.
...
Once the registration is complete, the user is returned to the login for authentication screen, so that she can authenticate herself if desired.
...
Password recovery
In previous releasesPreviously, the password was sent by email directly. Now a password recovery flow is launched:
The user enter his A registered user enters her email for recovery:
...
And the user is returned to the login page, prompting them her to check their her email:
...
The email will include the link to enter the new password, as well as the maximum time to complete the process, after which the link will no longer be available.
...
There are two other points at from which an administrator user can change another user's password
From the list of users:
...
From the user edition page:
...
In the first case, a random password is generated and it is mandatory to modify it within a configurable time or the user will be blocked, in . In the second case it is not necessary , there is no need to modify it.
Previously, an email was sent with the new password, either modified or generated. With the new mechanism, in both cases an email is sent with a link to a screen where the new password can be consulted. After a configurable time, the link is no longer available:
...
Following the link, you get to the query password screen:
...
Password management from REST APIs
...
In the APIs, user registration does not apply, since users are allowed to create users, but with a Bearer token that allows them to do so, so in reality this to be done. So, really, whoever uses this functionality is already authenticated in on the platform and has the appropriate permissions.
...
Currently it is done by sending an email with the password. This functionality has been deprecated, so that it remains retrobackward-compatible with applications that currently use this method, but be aware that bear in mind that it will disappear in the future it will disappear:
...
A new function has been added:
...
Which which sends the same email as when reset the password done via the login page, and requires confirmation from the user by entering their the new password by going to the same form.