loopback

History

Miroslav Bajtoš 0a2a45512c Fix "POST /reset-password" for multi-user setup Fix the code extracting current user id from the access token provided in the HTTP request, to allow only access tokens created by the target user models to execute the action. This fixes the following security vulnerability: * A UserA with id 1 (for example), requires a resetToken1 * A UserB with the same id requires a resetToken2. * Using resetToken2, use the UserAs/reset-password endpoint and change the password of UserA and/or vice-versa.	2017-10-19 13:29:08 +02:00
..
models	Fix "POST /reset-password" for multi-user setup	2017-10-19 13:29:08 +02:00

Fix "POST /reset-password" for multi-user setup

Fix the code extracting current user id from the access token provided
in the HTTP request, to allow only access tokens created by the target
user models to execute the action.

This fixes the following security vulnerability:

* A UserA with id 1 (for example), requires a resetToken1

* A UserB with the same id requires a resetToken2.

* Using resetToken2, use the UserAs/reset-password endpoint and change
  the password of UserA and/or vice-versa.

2017-10-19 13:29:08 +02:00

models

Fix "POST /reset-password" for multi-user setup

2017-10-19 13:29:08 +02:00