Skip to content

coderd/userauth: log when an attempted password reset attempt fails #15154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
johnstcn opened this issue Oct 21, 2024 · 0 comments · Fixed by #15267
Closed

coderd/userauth: log when an attempted password reset attempt fails #15154

johnstcn opened this issue Oct 21, 2024 · 0 comments · Fixed by #15267
Assignees
@DanielleMaywood
Labels
bug risk Prone to bugs

Comments

@johnstcn
Copy link
Member

johnstcn commented Oct 21, 2024
edited
Loading

Relates to #14232

Motivation

A security team may wish to monitor attempts to reset user passwords.

Proposed Solution

We should drop some logs at ERROR or WARN when the following events occur:

  • A password reset request is submitted for a user account that does not exist
  • An invalid password reset request is submitted for a user account due to the one time code not matching
@coder-labeler coder-labeler bot added the bug risk Prone to bugs label Oct 21, 2024
@DanielleMaywood DanielleMaywood mentioned this issue Oct 29, 2024
Merged
DanielleMaywood added a commit that referenced this issue Oct 29, 2024
@DanielleMaywood @mafredri
feat: log when attempted password resets fail (#15267)
78ff375 
Closes #15154

Log when someone attempts to either
- Request a one-time passcode for an account that doesn't exist
- Attempt to change a password with an invalid one-time passcode and/or
email

---------

Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DanielleMaywood DanielleMaywood

Labels
bug risk Prone to bugs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: log when attempted password resets fail coder/coder
2 participants
@johnstcn @DanielleMaywood