Some of the below is based on OWASP or NIST SP800-63b recommendations.
- The
user_id_field
value is always treated as case insensitive - If the
user_id_field
is:email
, it'll be validated based on RFC 5322 (sections 3.2.3 and 3.4.1) and RFC 5321 with unicode characters permitted in local and domain part
- The
:password
has a minimum length of 8 characters - The
:password
has a maximum length of 4096 bytes to prevent DOS attacks against Pbkdf2 - The
:password_hash
is generated withPBKDF2-SHA512
with 100,000 iterations
- The session value contains a UUID token that is used to pull credentials through a GenServer
- The credentials are stored in a key-value cache with TTL of 30 minutes
- The credentials and session are renewed after 15 minutes if any activity is detected
- The credentials and session are renewed when user updates
- If a user couldn't be found or the
:password_hash
isnil
a blank password is used - A UUID is always generated during reset password flow
- Tokens are signed for public consumption and verified before lookup:
- Session ID in
Pow.Plug.Session
- Persistent session token in
PowPersistentSession.Plug.Cookie
- Reset password token in
PowResetPassword.Plug
- E-mail confirmation token in
PowEmailConfirmation.Plug
- Invitation token in
PowInvitation.Plug
- Session ID in
- If authentication fails, a generic
The provided login details did not work. Please verify your credentials, and try again.
message is returned - When password reset is requested with
PowResetPassword
for an e-mail that doesn't exist, the genericIf an account for the provided email exists, an email with reset instructions will be send to you. Please check your inbox.
message is returned - When attempting to invite a user with
PowInvitation
using an already taken e-mail, the success messageAn e-mail with invitation link has been sent.
is returned
Enabling PowEmailConfirmation
extension will add additional protection:
- User is redirected with message to confirm their e-mail when they attempt to create a user with already taken e-mail
- Updating e-mail requires the user to confirm the e-mail address by clicking a link send to them
You can disable the protection by setting pow_prevent_user_enumeration: false
in conn.private
.
- The sign in, registration and invitation acceptance page won't be cached by the browser