Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ChangePasswordByIdentity API works without current password [URGENT] #65

Open
arihant30 opened this issue Apr 18, 2022 · 0 comments
Open

ChangePasswordByIdentity API works without current password [URGENT] #65

arihant30 opened this issue Apr 18, 2022 · 0 comments

Comments

@arihant30
Copy link

This API: https://github.com/FusionAuth/go-client/blob/master/pkg/fusionauth/Client.go#L290 has the functionality to:

// ChangePasswordByIdentity
// Changes a user's password using their identity (login id and password). Using a loginId instead of the changePasswordId
// bypasses the email verification and allows a password to be changed directly without first calling the #forgotPassword
// method.
// ChangePasswordRequest request The change password request that contains all of the information used to change the password.

If I do not pass the current_password in this API, it still changes the user's password without the current password. If I pass something as current_password in the request it does check if it matches the user's current password.

The abnormal behavior happens when nothing is passed as current_password.

Similarly, in the fusionauth dashboard, I can change any User's password without the previous password. Is this behavior intended?
Or are these 2 issues related and pointing to a bigger overall problem with how fusionauth changes passwords.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arihant30