nemunaire/chldapasswd
1
0
Fork 0
Code Issues Pull requests Releases Activity
chldapasswd/static
History
Pierre-Olivier Mercier 57775bbf89 fix(security): redesign password reset tokens using crypto/rand with server-side storage 
- Replace SHA512-based deterministic token with 32-byte crypto/rand token
- Store tokens server-side with 1-hour expiry and single-use semantics
- Remove genToken (previously broken due to time.Add immutability bug)
- Add CSRF double-submit cookie protection to change/lost/reset forms
- Remove token from form action URL (use hidden fields only, POST body)
- Add MailFrom field and SMTP_FROM env var for configurable sender address
- Add SMTP_PASSWORD_FILE env var for secure SMTP password loading
- Add PUBLIC_URL env var and --public-url flag for configurable reset link domain
- Use generic error messages in handlers to avoid information disclosure

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-06 15:30:48 +07:00
..
change.html fix(security): redesign password reset tokens using crypto/rand with server-side storage 2026-03-06 15:30:48 +07:00
footer.html Theming 2018-12-31 01:00:24 +01:00
header.html Theming 2018-12-31 01:00:24 +01:00
login.html Theming 2018-12-31 01:00:24 +01:00
lost.html fix(security): redesign password reset tokens using crypto/rand with server-side storage 2026-03-06 15:30:48 +07:00
message.html Theming 2018-12-31 01:00:24 +01:00
reset.html fix(security): redesign password reset tokens using crypto/rand with server-side storage 2026-03-06 15:30:48 +07:00