Add breached webhook blog post #171
Conversation
site/_posts/2020-08-07-locking-an-account-with-breached-password.md
Outdated
Show resolved
Hide resolved
site/_posts/2020-08-07-locking-an-account-with-breached-password.md
Outdated
Show resolved
Hide resolved
site/_posts/2020-08-07-locking-an-account-with-breached-password.md
Outdated
Show resolved
Hide resolved
| excerpt_separator: "<!--more-->" | ||
| --- | ||
|
|
||
| Suppose you have an application to which access is so sensitive that if any user's password is found to be breached, the account should immediately be locked. This feature isn't built into FusionAuth. What can you do? |
There was a problem hiding this comment.
This feature isn't built into FusionAuth.
I don't know if I agree with this. If you turn on breach detection during login and force a password change, that is essentially the same as locking the account.
I suppose the difference would be that we aren't (currently) providing an option to fail login, force a password change, and delete all "sessions' (refresh tokens). Perhaps we should add that as a configuration option.
My only concern is to not minimize what we already offer. Could we say that we do allow you to force an immediate change to the password and block the login attempt - but if you want to completely disable the user, or lock their account ... read on?
There was a problem hiding this comment.
I can work on soft selling, but in my mind there is a difference between "user has to change their password and can login after that" and "user has account locked and can't gain access without admin unlocking the account".
Honestly, it's less about the particular action and more about how easy it is to extend fusionauth.
site/_posts/2020-08-07-locking-an-account-with-breached-password.md
Outdated
Show resolved
Hide resolved
site/_posts/2020-08-07-locking-an-account-with-breached-password.md
Outdated
Show resolved
Hide resolved
|
|
||
| ## Results | ||
|
|
||
| If you install the webhook, follow the instructions in [the repository](https://github.com/FusionAuth/fusionauth-example-php-webhook/blob/master/README.md), and login as a user with a breached password, the user will see this screen on their first failed login: |
There was a problem hiding this comment.
I don't think this message is correct... assuming this is the error you're seeing when the webhook fails? This may be a bug. I can take a look.
You don't need to hold up the blog, we can always revise with a new screenshot if needed.
There was a problem hiding this comment.
Correct, that is the error I'm seeing. Would you like me to file a bug?
There was a problem hiding this comment.
I just checked , we have a test for this, so not sure how this is happening. You should see something like One or more webhooks returned an invalid response or were unreachable. Based on your transaction configuration, your action cannot be completed - and that message is theme-able.
I can try click testing it as well, perhaps the test is missing some edge case. Feel free to open a bug.
|
|
||
| ```php | ||
| //... | ||
| http_response_code(500); |
There was a problem hiding this comment.
As an aside, we do actually create an error event log when a webhook fails. So if you the webhook wanted to return JSON in a response body it would get logged in the event log for record.
I may open an issue to better define expected return status codes. It would be kind of nice to allow the webhook to return a status code that says fail the request, but don't log an error. So maybe we could document that 500 is an error on your end, and a 4xx is a fail, but only log it if debug is enabled for the webhook.
Push to correct date, whoops, missed this in #171
* starting wp migration article * save * save * wp values description * info on hashing * write this as a proper article following FA structure * save * save * save * mention stronger algorithm * todo * write * save * save * save * finished article * image updates * text updates * text updates * text updates * text updates * WordPress Migration language edit * Merge pull request #172 from ritza-co/wordpress-migration-language-edit WordPress Migration language edit * Merge pull request #171 from ritza-co/update-migrate_wp Update migrate Wordpress * Merge branch 'master' into migrate_wp # Conflicts: # astro/src/content/docs/lifecycle/migrate-users/provider-specific/wordpress.mdx * fix image location
No description provided.