diff options
| author | Robert Speicher <robert@gitlab.com> | 2015-12-10 04:58:11 +0300 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2015-12-10 04:59:14 +0300 |
| commit | 0c0854c86a0d681aa5360b56b94cbc8f87f8dbad (patch) | |
| tree | 3307ca9b0d70ab2b3e296a93d71e8f8aa42feae1 /config | |
| parent | 9888a9725b5275962992d179b5deb27f7d9cadb2 (diff) | |
Merge branch 'devise_paranoid_mode' into 'master'
Enable Devise paranoid mode and ensure the returned message is the same
every time. This will prevent user enumeration (low impact).
Prior to this change a user could type an email in the password reset
field and if the email didn't exist it returned an error. If the email
was valid it returned a message saying the forgot password link had been
emailed. After this change the user will receive a message that if the
email is in our database the reset link will be emailed.
I also changed the throttle mechanism so it still works the same but
now returns the exact same message as above. Previously it would say
'You've already sent a request. Wait a few minutes'. This also allows
user enumeration, although it requires a double-check.
Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624
See merge request !2044
Diffstat (limited to 'config')
| -rw-r--r-- | config/initializers/devise.rb | 2 | ||||
| -rw-r--r-- | config/locales/devise.en.yml | 1 |
2 files changed, 1 insertions, 2 deletions
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 29506970af2..5fb43a86e13 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -60,7 +60,7 @@ Devise.setup do |config| # It will change confirmation, password recovery and other workflows # to behave the same regardless if the e-mail provided was right or wrong. # Does not affect registerable. - # config.paranoid = true + config.paranoid = true # ==> Configuration for :database_authenticatable # For bcrypt, this is the cost for hashing the password and defaults to 10. If diff --git a/config/locales/devise.en.yml b/config/locales/devise.en.yml index 22070e37f07..bd4c3ebc69e 100644 --- a/config/locales/devise.en.yml +++ b/config/locales/devise.en.yml @@ -30,7 +30,6 @@ en: success: "Successfully authenticated from %{kind} account." passwords: no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided." - recently_reset: "Instructions about how to reset your password have already been sent recently. Please wait a few minutes to try again." send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes." send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." updated: "Your password has been changed successfully. You are now signed in." |