View Issue Details

IDProjectCategoryView StatusLast Update
14638Feature requestsSecuritypublic2019-03-12 17:45
ReporterDenisChenu Assigned To 
Status newResolutionopen 
Summary14638: One time password : add "time out"

One time password seems unlimited in time. A one time pasword generate today still valid in 10 years.
(I didn't test a lot one time password …)
I think it's a good idea to have a limited in time one-time password.

Additional Information
  1. Add a datetime (created ?) column in one time password
  2. Add a 'timelimit' one time password in config
  3. When an user come with a one time password check if datetime + timelimit is over (or not) and show an error message

After we can start to work on
Where we replace all password send by a one time password send.

TagsNo tags attached.




2019-03-12 17:45

developer   ~50931

To disable potential incompatibility with previous system using one-time password : set the default to null/0 => mean unlimited.
I dislike to have a bad security by default but if it's different : it broke different usage.

BUT : maybe set it to one hour by default : it's OK because we broke API.

Issue History

Date Modified Username Field Change
2019-03-12 17:43 DenisChenu New Issue
2019-03-12 17:45 DenisChenu Note Added: 50931