API to check if tokens are still valid, without changing password #7
Comments
|
eddyystop commented on Apr 28, 2017 A concern about security for short numeric tokens is the main reason for not implementing this (yet?). A rate limiter would be advisable that limited the retries per userId, perhaps once every few seconds. That, in addition, introduces state restricted to a single instance. Furthermore a function to check this without a rate limiter is not difficult for people to implement on their own. |
|
This issue is being left open for people considering this question. The a-l-m rewrite has hardened against hacking. Implementing a feature like that requested here would open an easier attack vector then we've ever had, which I am not willing to do. If your use case requires this, despite making it easier to hack your app, then its straightforward to write a hook similar to https://github.com/feathers-plus/authentication-local-management/blob/master/src/verify-signup.js . I suggest you include a rate limiter to slow down hacking attempts. |
Copied from feathersjs-ecosystem/feathers-authentication-management#2
The text was updated successfully, but these errors were encountered: