Taking advantage of the Platform PenTesting being done by the Cyber team and a proposal for improvement, a new mechanism has been implemented for the creation of users from the self-registration (sing-up), as well as for password recovery in case of forgetting and communication of password modification for a user from the control-panel or from the management APIs, avoiding the transmission of passwords via email.
Self-registration (Sign-up)
The user registration form has been modified so that now it is not necessary to register the password. It will be provided by the user after validating his email:
This does not register the user yet, it generates an email to the email address provided, with a link to complete the registration process
The user will receive an email of this style, indicating the url where he can finish the registration process, and a warning that in case of not finishing the process in a given time (configurable by installation), the link will disappear as well as the previous information provided.
Once registration is complete, the user is returned to the login for authentication if desired.
Password recovery
In previous releases, the password was sent by email directly. Now a password recovery flow is launched:
The user enter his email for recovery:
And is returned to the login page prompting them to check their email:
The email will include the link to enter the new password, as well as the maximum time to complete the process, after which the link will no longer be available.
The link redirects to a new form to add the new password:
After which the user is returned to the login page.
Reset or change of password by an Administrator from the control panel
There are two other points at which an administrator user can change another user's password
From the list of users:
From user edition page:
In the first case a random password is generated and it is mandatory to modify it within a configurable time or the user will be blocked, in the second case it is not necessary to modify it.
Previously, an email was sent with the new password, either modified or generated. With the new mechanism, in both cases an email is sent with a link to a screen where the new password can be consulted. After a configurable time, the link is no longer available:
Following the link you get to the query screen:
Password management from REST APIs
Users creation:
In the APIs, user registration does not apply, since users are allowed to create users, but with a Bearer token that allows them to do so, so in reality whoever uses this functionality is already authenticated in the platform and has the appropriate permissions.
Password reset:
Currently it is done by sending an email with the password. This functionality has been deprecated, so that it remains retro-compatible with applications that currently use this method, but be aware that in the future it will disappear:
A new function has been added
Which sends the same email as when reset the password via the login page, and requires confirmation from the user by entering their new password by going to the same form.