• signup
• login
• password reset
• 2fa
• session management
  • prolonging a session automatically
  • discarding a session if we're enough things changed (IPs can drastically change on carnet from request to request - so we should check for specific subnets etc)
• token management
  • idempotent tokens for csrf handling
  • usable only on specific actions

probably should spin off some of these into separate issues at some point

• for security-related events
  - [ ] logins
  • password changes
  • password resets
    - [ ] login failures
• admin alerts
  • new applications
    - [ ] blocked logins
• for competition-related events
  • confirming an application was submitted
    - [ ] confirming an application was approved
    -[ ] automatically sending a certificate of appreciation to members of the application and mentors

The output at /organiserpanel cuts of at a consistent point (if there have been no changes to the database), depending only on the logged in user.

This does not happen locally and we haven't found a way to reproduce it in development environments.

https://github.com/danielmiessler/SecLists/tree/master/Passwords
https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret

• password changes
• user data changes
• session invalidation
• session viewing
• data exports

Usually, they are replaced using the /application/[0-9]{1,}/video and /application/[0-9]{1,}/pdf endpoints, but these don't respond differently for some reason anymore.

@Sarmaguy, please look into why this could be happening.

As stated in the title, user ID isn't being logged for AccountSecurity/LoginFail/WrongPassword errors, which should be fixed as it disables account-level login attempt blocking and makes debugging and security harder.

Signup errors due to AAI collision, password reset causes error

This means logging

• failed logins (both by account and IP)
• access control failures
• input validation failures

to

• in the database
• in logfiles
• other, off-server solutions

and

• alerting admins about security failures