Add app setting logoutSessionsOnSensitiveChanges [2.x] #3109
Conversation
| '', | ||
| 'The user model %j is attached to an application that does not specify', | ||
| 'whether other sessions should be invalidated when a password or', | ||
| 'an email was changed. Invalidating sessions is important for security', |
There was a problem hiding this comment.
Session invalidation is important for security reasons as it allows users to recover from various account breach situations.
| 'reasons, to allow users to recover from the situation where', | ||
| 'an attacker got access to their account.', | ||
| '', | ||
| 'We are recommending to turn this feature on by setting', |
There was a problem hiding this comment.
We recommend turning this feature on by...
| '', | ||
| 'We are recommending to turn this feature on by setting', | ||
| '"{{logoutSessionsOnSensitiveChanges}}" to {{true}} in', | ||
| '{{server/config.json}}, unless you have implemented your own solution', |
There was a problem hiding this comment.
take out the , after }} and using (unless you've implemented your own solution for token invalidation).
| '{{server/config.json}}, unless you have implemented your own solution', | ||
| 'for token invalidation.', | ||
| '', | ||
| 'You should also enable "{{injectOptionsFromRemoteContext}}" in %s\'s', |
There was a problem hiding this comment.
We also recommend enabling
| '', | ||
| 'You should also enable "{{injectOptionsFromRemoteContext}}" in %s\'s', | ||
| 'settings (typically via common/models/*.json file). This is', | ||
| 'needed to allow the invalidation algorithm to keep the current', |
There was a problem hiding this comment.
This setting is required for the invalidation...
bajtos
force-pushed
the
fix/flag-to-invalidate-tokens
branch
from
dd657a9 to
a91c96c
Compare
|
@superkhau fixed, LGTY now? @crandmck ping |
Invalidate all existing sessions (delete all access tokens) after user's password was changed.
| '', | ||
| 'The user model %j is attached to an application that does not specify', | ||
| 'whether other sessions should be invalidated when a password or', | ||
| 'an email was changed. Session invalidation is important for security', |
| 'reasons as it allows users to recover from various account breach', | ||
| 'situations.', | ||
| '', | ||
| 'We recommend to turn this feature on by setting', |
There was a problem hiding this comment.
we recommend turning this feature
Disable invalidation of access tokens by default to restore backwards compatibility with older 2.x versions. Add a new application-wide flag logoutSessionsOnSensitiveChanges that can be used to explicitly turn on/off the token invalidation. When the flag is not set, a verbose warning is printed to nudge the user to make a decision how they want to handle token invalidation.
bajtos
force-pushed
the
fix/flag-to-invalidate-tokens
branch
from
a91c96c to
f1e31ca
Compare
|
@slnode test please
AFAICT, the build failure is unrelated, let's run the build again to see if it was intermittent. |
bajtos
changed the title
|
@bajtos you should attach docs (links) to such changes (preferably in changelog.md) not only log console outputs. so we can better figure out what's going on exactly and how those changes work. could you please provide some more information? ty |
|
@michaelfreund thank you for the feedback, I did have the feeling that adding a warning may not be sufficient. I'd like to update the documentation ASAP. In the meantime, please take a look at my #3112 (comment) and let me know if there is any more information to help LoopBack users with the upgrade (preferably by posting comments in #3112). |
Description
Disable invalidation of access tokens by default to restore backwards compatibility with older 2.x versions.
Add a new application-wide flag
logoutSessionsOnSensitiveChangesthat can be used to explicitly turn on/off the token invalidation.When the flag is not set, a verbose warning is printed to nudge the user to make a decision how they want to handle token invalidation.
Related issues
Checklist
guide
@superkhau Please review
@crandmck Could you please review the warning? It's a long one, should we move some of the text into documentation and provide a link to docs in the warning?
@tvdstaaij @fabien PTAL too - will this solution work for you?