Hi,
I am digging a bit into Lift user handling right now and I have some
concerns with respect to the uniqueID.
Say, someone gets a dump of my users table (doesn't need to be Lift's fault,
can be a bad database configuration), then all the passwords in there are
salted and hashed and so the attacker has no realistic chance of recovering
any of the passwords therein. Also, some intern who might have read access
to the database cannot see the password.
However, the uniqueID allows to silently reset the password by visiting the
URL
http://myurl.com/user_mgt/reset_password/{uniqueID}
That is, even though the passwords cannot be recovered by an attacker, they
can be reset to an arbitrary value (which is bad enough for, say, online
banking). If I *noticed* that someone got access to my database, I can
simply say "UPDATE users SET uniqueId=..." and get rid of that problem, but
until I notice, the attacker is free to take over any account in the
database.
In fact, for the purpose of logging in to the website, the uniqueID is just
as valuable as the password itself. That is, it should in fact also be
hashed (and salted?) such that findUserByUniqueId(id: String) does no longer
just do "find(By(uniqueId, id))", but rather something like
"find(By(uniqueIdHash, hash(id)))".
What do you think?
Tobias