View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0011216Talermerchant backoffice SPApublic2026-03-09 16:312026-03-09 17:27
Reportervecirex Assigned To 
PrioritylowSeverityfeatureReproducibilityalways
Status acknowledgedResolutionopen 
Target Versionpost-1.0 
Summary0011216: PW change possible without any MFA
DescriptionUnlike in recent prior versions, in taler-merchant-v1.5.0 it's possible to change a PW (given the old one) without any additional MFA.
Steps To ReproduceJust try to change the PW for an instance created.
TagsNo tags attached.
Attached Files
taler-merchant-pw-change-possible-without-mfa.png (42,897 bytes)   
taler-merchant-pw-change-possible-without-mfa.png (42,897 bytes)   
taler-merchant-pw-change-possible-without-mfa-2.png (39,337 bytes)   
taler-merchant-pw-change-possible-without-mfa-2.png (39,337 bytes)   

Activities

vecirex

2026-03-09 16:39

manager   ~0028047

Last edited: 2026-03-09 16:42

 To be clear: login still requires MFA (by default an email is sent with auth code), but someone with access to an open Taler Portal site, can change the PW (the old one maybe found saved in the browser's PW manager) and the legitimate user will at least be surprised when a fresh login is attempted or another device is picked to login.

Christian Grothoff

2026-03-09 17:27

manager   ~0028051

That was always the case. See:

MHD_RESULT
TMH_private_post_instances_ID_auth (const struct TMH_RequestHandler *rh,
                                    struct MHD_Connection *connection,
                                    struct TMH_HandlerContext *hc)
{
  struct TMH_MerchantInstance *mi = hc->instance;

  return post_instances_ID_auth (mi,
                                 connection,
                                 hc,
                                 false,
                                 TMH_TCS_NONE);
}

in taler-merchant-httpd_post-management-instances-INSTANCE-auth.c:

If you have the old password (are logged in), you can change it. So this is NOT a regression. We can discuss the policy though...

Issue History

Date Modified Username Field Change
2026-03-09 16:31 vecirex New Issue
2026-03-09 16:31 vecirex File Added: taler-merchant-pw-change-possible-without-mfa.png
2026-03-09 16:31 vecirex File Added: taler-merchant-pw-change-possible-without-mfa-2.png
2026-03-09 16:39 vecirex Note Added: 0028047
2026-03-09 16:39 vecirex Note Edited: 0028047
2026-03-09 16:41 vecirex Note Edited: 0028047
2026-03-09 16:42 vecirex Note Edited: 0028047
2026-03-09 16:42 vecirex Note Edited: 0028047
2026-03-09 17:27 Christian Grothoff Note Added: 0028051
2026-03-09 17:27 Christian Grothoff Priority high => low
2026-03-09 17:27 Christian Grothoff Severity major => feature
2026-03-09 17:27 Christian Grothoff Status new => acknowledged
2026-03-09 17:27 Christian Grothoff Target Version => post-1.0