https://www.ory.sh/ logo
Powered by
#talk-kratos
Title
# talk-kratos
b

bitter-arm-6486

01/07/2022, 4:41 PM
Hi, after looking over documentation, it seems that kratos allows users to update password without first confirming their existing one. Is this something on the roadmap? This can be a security concern (anyone logged in can update user password, say on a shared computer). Most account providers require the old password, right?
q

quick-apartment-80558

01/07/2022, 4:42 PM
Hi! Do you mean email address? I mean... That would also be something odd
b

bitter-arm-6486

01/07/2022, 4:43 PM
Hi, no, the update password feature:
Currently, if the user is logged in, they are free to update the password immediately without further verification
Expected behaviour (or at least optional for devs to implement):
q

quick-apartment-80558

01/07/2022, 4:44 PM
This is from an example UI and / or app. Right?
b

bitter-arm-6486

01/07/2022, 4:45 PM
This is from the ory kratos documentation
q

quick-apartment-80558

01/07/2022, 4:49 PM
The documentation in that particular regard is aimed to illustrate and shouldn't necessarily be taken as a boilerplate... production implementation would require some tweaks for devs as you rightly mentioned
b

bitter-arm-6486

01/07/2022, 4:50 PM
Yea, I just didn't see any recommended method to perform this user password verification step, outside of the profile update. As far as I know other than logging in there's no separate password verification endpoint
p

proud-plumber-24205

01/07/2022, 4:51 PM
Remember that the settings flow has a setting called 
privileged_session_max_age
https://www.ory.sh/kratos/docs/self-service/flows/user-settings#updating-privileged-fields setting this to a value such as 15m would mean that the user would need to first verify themselves before updating their password once the session is older than 15 minutes.
As far as I know other than logging in there's no separate password verification endpoint
No, logging in is the password verification 🙂 and with setting 
privileged_session_max_age
to a value that's acceptable in your use case, would be secure enough. Example: The user logged in and has a full 15 minutes to update their password. Once this time-frame has expired, the user is required to 
verify
themselves again with a login flow. This is enough to prevent someone else from updating their information.
b

bitter-arm-6486

01/07/2022, 4:55 PM
I see, ok
Setting this time works fine, thanks. However, I think it may still be worthwhile considering the instantaneous check at moment of change, since that seems to be fairly standard across all account managers
This time only reduces the window for risk of unauthorized change
p

proud-plumber-24205

01/07/2022, 4:58 PM
Alright, then I would suggest to please open an issue so that we can keep track of it and discuss it there 🙂
👍 1
b

bitter-arm-6486

01/07/2022, 4:58 PM
Will do
Thanks
2 Views
Powered by