Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

调整在「密码过期判断」到「密码校验成功」后 #137

Closed
IMBlues opened this issue Nov 3, 2021 · 0 comments · Fixed by #138
Closed

调整在「密码过期判断」到「密码校验成功」后 #137

IMBlues opened this issue Nov 3, 2021 · 0 comments · Fixed by #138
Labels
Layer: api Api module related Layer: login Login module related Sign: security Something related to security
Milestone
202111H1

Comments

@IMBlues
Copy link
Contributor

IMBlues commented Nov 3, 2021
edited
Loading

当前流程:

用户输入过期密码 -> 判断是否过期 -> 过期则抛出“密码过期”

存在一个问题,当用户密码过期后,不管是否输入正确,这里都会抛出“密码过期”的错误,存在用户名爆破的安全风险

需要调整为:

用户输入过期密码 -> 判断密码是否正确 -> 正确且过期则抛出“密码过期”错误
@IMBlues IMBlues added Layer: api Api module related Layer: login Login module related Sign: security Something related to security labels Nov 3, 2021
IMBlues added a commit to IMBlues/bk-user that referenced this issue Nov 3, 2021
@IMBlues
fix: 调整在「密码过期判断」到「密码校验成功」后 TencentBlueKing#137
2a8e300
@IMBlues IMBlues linked a pull request Nov 3, 2021 that will close this issue
fix: 调整将「密码过期判断」挪到「密码校验成功」后 #137 #138
Merged
IMBlues added a commit that referenced this issue Nov 4, 2021
@IMBlues
Merge pull request #138 from IMBlues/fix-docs2
9f538ff 
fix: 调整将「密码过期判断」挪到「密码校验成功」后 #137
@IMBlues IMBlues closed this as completed Nov 4, 2021
@IMBlues IMBlues added this to the 202111H1 milestone Nov 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Layer: api Api module related Layer: login Login module related Sign: security Something related to security
Projects
None yet
Milestone
202111H1
Development

Successfully merging a pull request may close this issue.

fix: 调整将「密码过期判断」挪到「密码校验成功」后 #137 IMBlues/bk-user
1 participant
@IMBlues