send-reset-pwd.js creates wrong tokens
lapinzon opened this issue · 7 comments
The reset tokens are generated preconcatening an user id and then hashing it.
What do you mean exactly by "wrong" ? Could you provide moire context or a reproducible sample ? The token is generated like this just to be able to retrieve the user directly from the token as far as I understand.
Sorry but we need more context about your use case (module version, feathers version, source code sample, etc.) because as far as I know:
- signup verification is a basic feature used by a lot of people so that this bug should prevent it to work and everybody should have noticed it a long time ago
- all tests are currently passing
As far as I understand it is normal that the token sent to the user is not encrypted and the one store in DB is because the bcrypt compare function is used https://github.com/feathers-plus/feathers-authentication-management/blob/master/src/reset-password.js#L55, just like when you compare a plain password and the encrypted one in DB when you log in. So there is probably something specific that make it work the wrong way in your case.
As you might have noticed this module is looking for new maintainers and I'll do my best to answer issues/PRs but I don't know well all the details in the source code so the more details you can provide the best help I can provide.
@claustres Sorry, as it seems your answer is related to my comment, which I then deleted (and I shouldn't have). All solved, it was a bug on my code. BTW I might help out as a maintainer as I like the module
I guess, we can close this. Or @lapinzon provides more information about why this is an issue.
Yes, the password-reset token is a string composed of the user id AND a random byte string of length options.longTokenLen (see send-reset-pwd.js). By doing so there is no chance that two reset tokens are the same (which could happen with just random strings, although very unlikely).
@claustres is also right. The password-reset token is stored in hashed form in the database (like the password) and send to the user in clear text form. As it should.
PS: I probably cannot be a single maintainer for this package, but I will by happy to help as much as I can. We use this package in two business applications and are very interested to have this package maintained.
@OnnoGabriel We also use this package in our product, if you'd like to help me maintaining it please tell me I will ask @marshallswain if I can be able to add you to the repo.
Yes, you are right, it was my lack of understanding and confusion with other versions.
Thanks a lot for your time.
@lapinzon, glad we solved this issue.
@claustres, as I said, I would be happy to help. Not as the only responsible person, but in a team would be fine with me.