[
https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16734372#comment-16734372 ]
Gil Portenseigne commented on OFBIZ-4361:
-----------------------------------------
h2. *Idea using JWT :*
To remain simple with password update without adding much code into the codebase, we would like to propose a new idea as a first simple step.
Improve the {{service engine}} to allow the usage of {{JWT token}} to *execute a given service as an authenticated user*.
The JWT token is generated by OFBiz with its secret and contains into the data payload the allowed {{serviceName}} and the {{userLoginId}}.
h2. Given the following usecase :
A user ask for a new password giving his userlogin id.
A mail is sent with a link containing the JWT toke with the {{serviceName}} *updatePassword* and the {{userLoginId}} into the data payload and a target to an OFBiz _no auth required_ web page described below
The user access through the link to the webpage that present a form containing :
* the JWT in its hidden parameters
* a field asking the new password
* a submit button.
The validation of this form will call the *updatePassword* service.
Since the user is _not authenticated_, the {{service engine}} will look into parameters if token exists and will validate it. Else authentication is required...
If a serviceName exists in the data and equals to the called one, other data from the JWT payload are added to the IN service call attributes.
That will simply allow a basic updatePassword process in trunk, that can be extended easily customizing url target and serviceName for adding verification and so on.
This idea is a first attempt, and should be discussed in regards to the other suggestions.
> Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
> ----------------------------------------------------------------------------------------------------------
>
> Key: OFBIZ-4361
> URL:
https://issues.apache.org/jira/browse/OFBIZ-4361> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: Release Branch 11.04, Release Branch 13.07, Release Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release Branch 17.12
> Environment: Ubuntu and others
> Reporter: mz4wheeler
> Assignee: Jacques Le Roux
> Priority: Major
> Labels: security
> Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_Token-Password-Registration.patch
>
>
> Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed.
> The following occurred:
> A new password has been created and sent to you. Please check your Email.
> This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk.
> This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks.
> For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Locked
