4

So, I’ve been given the task of sorting the security out in an application plugging the holes and whatnot as to be honest it’s shocking haha. It doesn’t help that we automate security audits but that’s a different rant for another day.

We’re using devise for authentication (rails standard, ♥️ devise), we have no password resets through the login page, it has to be manually reset by ringing support, why who knows, even though it’s built into the gem and we allow the user to login using an username instead of an email because for whatever reason someone thought it was a bright idea to not have the email field mandatory.

So I hop onto a call with the BAs, basically I go that we need to implement password resets into the login page so the user can do it themselves and also to cut down support calls a ticket is already in place for it. So I go through the standardised workflow for resetting a password. My manager goes.

“I don’t think this will be very secure”

Wait.. what. Have you never reset a password before? It’s following the same protocol as every other app.

We go back and fourth and I said I’ll get it checked with security just to keep him happy.

The issue mainly is well we can’t implement password resets due to 100s of users not having an email on there account.. 🙃 so before we push this change we need to try and notice all users to set a unique email.

Updated the tickets. All dandy.

Looking at the PRs to see what security things have been done if any and turns out one of the devs in India has just written a migration to add the same default email to every user that doesn’t have an email present and yep it got merged. So I go revert the change but talk about taking a “we don’t care about security approach”.

Eventually we want to have the user reset their passwords and login using their email and someone goes a head and does that. Not to mention the security risk.

Jesus Christ I wonder why I bother sometimes.

Comments
  • 1
    My current job has a similar problem: a client schedules a mandatory training for their employees (and then we do the training). But employees may not have a company email so they get their credentials printed out on paper. Resetting a password is then handled via support.

    I was thinking about adding a couple of recovery passwords to the initial provided credentials (similar to one-time-passwords like the google authenticator app). But I'm not sure this would be the best solution. Maybe letting the client reset their employees passwords would be more secure? I don't know. This is such a stupid problem to have in 2021 lol

    But man, an email column with a default mail address.. the things people come up with! Unbelievable.
  • 0
    He said plugging holes haha
Add Comment