Branch: refs/heads/XWIKI-21571 Home: https://github.com/xwiki/xwiki-platform Commit: c45e6618312fbb9a86562e6a0b1331a6f9a41dc9 https://github.com/xwiki/xwiki-platform/commit/c45e6618312fbb9a86562e6a0b13… Author: Simon Urli <simon.urli(a)xwiki.com> Date: 2024-03-22 (Fri, 22 Mar 2024) Changed paths: M xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/ResetPasswordIT.java M xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties M xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/xwiki-platform-security-authentication-default/src/main/java/org/xwiki/security/authentication/internal/DefaultResetPasswordManager.java M xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/xwiki-platform-security-authentication-default/src/main/resources/ApplicationResources.properties M xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/xwiki-platform-security-authentication-default/src/test/java/org/xwiki/security/authentication/internal/DefaultResetPasswordManagerTest.java M xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/xwiki-platform-security-authentication-script/src/main/java/org/xwiki/security/authentication/script/AuthenticationScriptService.java Log Message: ----------- XWIKI-21571: Change default value of the reset password token lifetime Change a bit more the logic: if the token lifetime configuration is set to 0 (which was the default) then we automatically remove the reset password request xobject at first wrong attempt (bad verification code): it will prevent any bruteforce attack. Then if there's a token lifetime configuration set, we don't remove the xobject when a bad attempt is performed: user might have used the wrong mail for example. But we do remove the xobject when it's expired. And if it's expired, or if the code was wrong, in both cases we immediately return an error. To unsubscribe from these emails, change your notification settings at https://github.com/xwiki/xwiki-platform/settings/notifications