Rasmus Vind
Well-known member
- Affected version
- v2.0.10
I am working towards integrating @Steve Gibson's SQRL login system with XenForo and I just came across an interesting series of steps. I just tested it with a Google account and it's the same with all kinds of connected accounts, I believe.
So I did the following:
Also, I used a bogus email (I know, my own fault) and XenForo allowed me to disassociate my connected account even though:
You can do better, and you usually do.
The code in XF\Pub\Controller\Account::actionConnectedAccountDisassociate has the following lines:
Which means that it resets my password in case I never used it. A nice feature because it knows I don't have a password except that $visitor->Auth->resetPassword forces a log-out. I feel like we need to do something similar to what we do in XF\ControllerPlugin\Login when changing our password:
It ensures that when changing the password, we aren't logged out. Because the session depends on the password somehow.
I feel like you should be forced to set a password (when you don't have one) when you remove your last connected account. Also, you shouldn't be instantly logged out and definitely not redirected to a page never visible to you when logged out. Also, you may wish to consider requiring email validation prior to relying on password recovery.
Thanks,
Ralle
So I did the following:
- Click "Register"
- Click "Register faster using: Anything"
- Enter username and email
- Click your username and hit "Connected accounts"
- Tick "Disassociate Anything account" and click "Confirm disassociation"
Also, I used a bogus email (I know, my own fault) and XenForo allowed me to disassociate my connected account even though:
- It knew my email was not validated.
- It knew I had no password.
You can do better, and you usually do.
The code in XF\Pub\Controller\Account::actionConnectedAccountDisassociate has the following lines:
PHP:
if (!$auth->hasPassword() && $totalConnected <= 1)
{
$visitor->Auth->resetPassword();
$sendConfirmation = true;
}
else
{
$sendConfirmation = false;
}Which means that it resets my password in case I never used it. A nice feature because it knows I don't have a password except that $visitor->Auth->resetPassword forces a log-out. I feel like we need to do something similar to what we do in XF\ControllerPlugin\Login when changing our password:
PHP:
public function handleVisitorPasswordChange()
{
$visitor = \XF::visitor();
if (!$visitor->user_id)
{
return;
}
/** @var \XF\Repository\UserRemember $rememberRepo */
$rememberRepo = $this->repository('XF:UserRemember');
$userRemember = $this->validateVisitorRememberKey();
$rememberRepo->clearUserRememberRecords($visitor->user_id);
if ($userRemember)
{
// had a remember key before which has been invalidated, so give another one
$this->createVisitorRememberKey();
}
// this will reset the necessary details in the session (such as password date)
$this->session->changeUser($visitor);
}It ensures that when changing the password, we aren't logged out. Because the session depends on the password somehow.
I feel like you should be forced to set a password (when you don't have one) when you remove your last connected account. Also, you shouldn't be instantly logged out and definitely not redirected to a page never visible to you when logged out. Also, you may wish to consider requiring email validation prior to relying on password recovery.
Thanks,
Ralle
