-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn for password reset when files_encryption is enabled #11696
Conversation
8948871
to
5ff95ef
Compare
Code-wise it looks good and not too much of a UI change. Can you supply a screenshot? One thing: |
Of course, please note that the encryption warning is shown at the password reset step, not the login screen. This has the reason that the potential data destroying step is the password reset and not clicking the "reset password button": After the user checked the proceed box and clicked the "reset password" button again the password is reset.
Yep. Let's kill all the legacy 🔥 🔥 🔥 |
You can also take a look by enabling encryption and opening |
Looks ok design-wise. Appropriate to the cause. ;) |
@schiesbn @th3fallen Up for a review? - Testing this is simple, just enable the encryption app and try the password reset functionality. It should show a warning in the last final step when resetting the password. |
Looks good. Isn't it possible to detect if the user does have a recovery key? And then display a message adapted to the user's situation? |
Problem here is that I do not really want to leak to a potential adversary whether a recovery key is in place or not for specific users. Unless it really makes really easier to understand. - Furthermore, this would even add even more code from files_encryption into core. @jancborchardt Your call. |
I understand your point concerning the potential adversary, but does it really make a difference? I mean, is it really easier for him to break the security if he knows that? I hope it's not ;) |
Well, it at least allows you to force somebody physically to give the recovery password (i.e. an administrator) :-) But maybe that's just my hyper paranoid stance together with the reluctance to add more files_encryption code into core :-) |
Let’s first improve this bit and then see separately if anything else needs to be done. |
I just tried it, but I don't get the warning, instead I get directly redirected to:
|
BTW: If I look at the diff I don't see a string with the warning, maybe you forget to attach a file? |
Well, because it appears within the next step. Just click the link (or get the token out of the DB :))
Nope. It was already there since ages and just unused code :-) |
Actually the reason for having it in the other step was for me that the destructive action ("changing the password") is the one when changing it - not requesting it. |
hm, If I try to open the link I get a empty page. No errors in the log files or the JS console. |
That's strange. Can you paste the link here? |
This is the link:
I verified the token, it is the same as stored in the database |
@schiesbn Damn, that happens when one does not have a local mail system setup :-/ 81ddc20 - sorry again... |
OK, now it works. Just two things. If I hover over the "I know what I'm doing" the font colour becomes really dark and it stays dark after the checkbox was clicked. This is really hard to read: After login with the new password the user now gets "Invalid private key for Encryption App. Please update your private key password in your personal settings to recover access to your encrypted files." But there is no way to create a new key pair. Either we should have a option in the personal settings to create a new key pair or create it on-the-fly if the user reset the password. The code to create a new key-pair should already be there, this also happens when the admin set a new password. We probably just need a hook the encryption app can listen to and trigger the generation of a new key pair. |
If you add a hook for the successful password recovery (the hooks needs to contain the new password as parameter), I can take care of the encryption app to listen to it and to perform the necessary steps. |
Sure. That sounds like a good idea! |
@schiesbn I added a hook as suggested with a9e4ea4. However, I did not really use hooks much in the past. Would be great if you could let me know if this is sufficient! :-) - That said, feel free to commit any changes regarding your above pointed out issue directly to this branch. |
43e1e43
to
092a5ef
Compare
Just to summarize the behaviour: If a user agree to reset the password we will first make a backup of all encryption keys. Then we will create a new private/public key for the user, based on his new login password. After login he will no longer be able to read his old files. But can upload new files with his new key. |
@LukasReschke I discovered one problem. Creating a new key pair can take 1-2 seconds. So it could happen that the user click the "Reset password" button again which can lead to many nasty things, e.g. we could create two new key pairs in parallel. Can you disable the button after the user clicked it the first time to avoid such race conditions? Thanks! |
@schiesbn Done with 293b75c - great that you noticed that. Would have created nasty bugs and hard to debug bugs :-) |
THX @schiesbn (I should setup a mail server on my local system...)
…eate a new key-pair
… a new key pair for the user
Creating a new key pair can take 1-2 seconds. So it could happen that the user click the "Reset password" button again which can lead to many nasty things, e.g. we could create two new key pairs in parallel.
6707765
to
9eeea57
Compare
I added a spinner with 9eeea57 - but it is not centered, anybody knows how to do that properly within our code base? |
Summoning @MorrisJobke. |
A new inspection was created. |
@LukasReschke fixed with 345eb62 Still 👍 |
🚀 Test PASSed. 🚀 |
@schiesbn Wanna review? |
👍 |
…sword Warn for password reset when files_encryption is enabled
Where is this nice warning message when a user tries to recover his password and does not have the recovery password enabled you mention @schiesbn ? I am using 7.0.4 and just tried the reset password function with no such warning. This is a catastrophy in terms of UX as his account is all messed up after. How do you expect a user remembering his old password in order to reset his private key? This user just clicked "reset password" for a reason... because he forgot it... |
Hello everyone. Having the warning message back is really great. However, there will still be MANY users that will just tick the box and proceed and will then complain to us (their admin) for not being able to access their old files. Password reset through an email link -at least the way it is is right now- is quite of a problem for us. It significantly increases the administration work on our side, as we have to reply to emails and phone calls and explain to technical or non-technical customers why they no longer have access to their files, no matter if we clearly stress out in our instructions and FAQ that password recovery disabled together with a weak memory can be a catastrophic combination. Most importantly, we have several customers that forget their password/encryption key, reset their log-in password via the email link, realise that they no longer have access to their files and instead of contacting us, they decide to re-upload them. This means that they end up using double the storage space that they are paying us for (e.g. if they have a 10 GB storage package, they can end up using 20 GB; 10 GB for their newly uploaded unencrypted files and 10 GB for the inaccessible encrypted files). For us, an "easy" solution to this would be to have the possibility to disable password reset via email link for customers with password recovery disabled and enable password reset via email link for those that have password recovery enabled. Thanks. |
@RandieM Can you open this as a feature request with a new ticket in this bug tracker. Otherwise it will get lost. Thanks |
@MorrisJobke thanks for the advice. I opened this issue #16839. I was a bit unsure how to do what you suggested, so I hope it's OK like that. |
This patch will warn the user of the consequences when resetting the password and requires checking a checkbox (as we had in the past) to reset a password.
Furthermore I updated the code to use our new classes and added some unit tests for it 👯
Fixes #11438
@jancborchardt Requires some UI love.
\cc @gig13