AccountManagementService bug or not?

Avatar

Avatar

Eric_Stricker

Avatar

Eric_Stricker

Eric_Stricker

06-07-2020

[Re-post from: https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager-forms/accountmanagementser...]

 

I was looking at the "AccountManagementService" as this function provide two nice features to validate users who can register themselves and it provide a feature to allow user to reset their own password.

 

One point I want to understand is the host validation. The host name of the production server is not the same as the URL the external customer is looking at. So for the generation of the email we call the service accountManagementService.requestPasswordReset with the hostname equal to the external facing hostname. This hostname is embedded in the token as one of the secured parameters AND is used to generate the URL in the email that the user can click.

 

On the return the system validate the token in the "AccountManagementServlet"  with this private code below. The host name here is the internal host name so the token will always be invalid as the internal host name is different from the external host name embedded in the token. Is there something I overlook here?

 

  private boolean isTokenValid(String token, String hostname) {
if (!this.jwsValidator.validate(token))
return false;
String hostField = getTokenField(token, "host");
return (hostField != null && !"".equals(hostField) && hostname != null &&
!"".equals(hostname) && hostField.equals(hostname));
}

 

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

Arun_Patidar

MVP

Total Posts

(val/1000)?string[".0"]}K

Likes

958

Correct Answer

820

Avatar

Arun_Patidar

MVP

Total Posts

(val/1000)?string[".0"]}K

Likes

958

Correct Answer

820
Arun_Patidar
MVP

08-07-2020

Answers (0)