Skip to content

stages/email: use uuid for email confirmation token instead of username#7581

Merged
BeryJu merged 1 commit intomainfrom
stages/email/uuid-token
Nov 15, 2023
Merged

stages/email: use uuid for email confirmation token instead of username#7581
BeryJu merged 1 commit intomainfrom
stages/email/uuid-token

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Nov 15, 2023
edited
Loading

Details

This fixes an issue where a user could create a token with the username of any user and prevent that user from using this stage, the issue is non-exploitable as creating a token manually with this identifier doesn't have a flow plan and hence just leads to an error

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)
  • The translation files have been updated (make i18n-extract)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@BeryJu
stages/email: use uuid for email confirmation token instead of username
3c67e26 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu requested a review from a team as a code owner November 15, 2023 14:21
@netlify
Copy link

netlify bot commented Nov 15, 2023
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit 3c67e26
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/6554d3f64218270008e7ddc5

@BeryJu
Copy link
Member Author

BeryJu commented Nov 15, 2023

/cherry-pick version-2023.10

@codecov
Copy link

codecov bot commented Nov 15, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (01ffece) 89.91% compared to head (3c67e26) 91.14%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7581      +/-   ##
==========================================
+ Coverage   89.91%   91.14%   +1.23%     
==========================================
  Files         587      587              
  Lines       29029    29030       +1     
==========================================
+ Hits        26101    26460     +359     
+ Misses       2928     2570     -358
Flag Coverage Δ
e2e 50.80% <100.00%> (+5.77%) ⬆️
unit 89.66% <100.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

smusali
smusali reviewed Nov 15, 2023
View reviewed changes
@smusali smusali self-requested a review November 15, 2023 16:06
smusali
smusali approved these changes Nov 15, 2023
View reviewed changes
Copy link
Contributor

@smusali smusali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@BeryJu BeryJu merged commit 95c7101 into main Nov 15, 2023
@BeryJu BeryJu deleted the stages/email/uuid-token branch November 15, 2023 20:13
gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Nov 15, 2023
@BeryJu
stages/email: use uuid for email confirmation token instead of userna…
e47d71a 
…me (#7581)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@gcp-cherry-pick-bot gcp-cherry-pick-bot bot mentioned this pull request Nov 15, 2023
Merged
BeryJu added a commit that referenced this pull request Nov 15, 2023
@gcp-cherry-pick-bot @BeryJu
stages/email: use uuid for email confirmation token instead of userna…
41eb965 
…me (cherry-pick #7581) (#7584)

stages/email: use uuid for email confirmation token instead of username (#7581)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L <jens@goauthentik.io>
kensternberg-authentik added a commit that referenced this pull request Nov 17, 2023
@kensternberg-authentik
Merge branch 'main' into web/sidebar-with-live-content-3
d5875a5 
* main: (42 commits)
  stages/authenticator_totp: fix API validation error due to choices (#7608)
  website: fix pricing page inconsistency (#7607)
  web: bump API Client version (#7602)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#7603)
  core: bump goauthentik.io/api/v3 from 3.2023103.2 to 3.2023103.3 (#7606)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#7604)
  Revert "web: bump @lit-labs/context from 0.4.1 to 0.5.1 in /web (#7486)"
  root: fix API schema for kotlin (#7601)
  web: bump @lit-labs/context from 0.4.1 to 0.5.1 in /web (#7486)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#7583)
  events: fix missing model_* events when not directly authenticated (#7588)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_TW (#7594)
  providers/scim: fix missing schemas attribute for User and Group (#7477)
  core: bump pydantic from 2.5.0 to 2.5.1 (#7592)
  web/admin: contextually add user to group when creating user from group page (#7586)
  website/blog: title and slug change (#7585)
  events: sanitize functions (#7587)
  stages/email: use uuid for email confirmation token instead of username (#7581)
  website/blog: Blog about zero trust and wireguard (#7567)
  ci: translation-advice: avoid commenting after make i18n-extract
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@smusali smusali smusali approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BeryJu @smusali