I'm still developing the front end application (web only), but here are the server changes to review for password reset.
The plan is for the web to send a password request with the following body:
{
url:
firstName:
lastName:
username:
email:
}
The auth server will just forward the request given the URL in the body. The server will search for the user via first and last name, or username (in case someone forgot their username and password).
If an email address is associated with the account, the server will confirm it matches the given email address and then send out a reset link. If there is no address on file, it will send an email to the webmasters who will manually verify the request (if a school email address is used, they can just verify the email address matches the name of the person requesting it).
The reset link contains the user ID and a reset token. The token expires after 2 hours if an email address is register, and expires after 48 hours if it is going through the webmasters.
I'm still developing the front end application (web only), but here are the server changes to review for password reset.
The plan is for the web to send a password request with the following body: { url: firstName: lastName: username: email: }
The auth server will just forward the request given the URL in the body. The server will search for the user via first and last name, or username (in case someone forgot their username and password).
If an email address is associated with the account, the server will confirm it matches the given email address and then send out a reset link. If there is no address on file, it will send an email to the webmasters who will manually verify the request (if a school email address is used, they can just verify the email address matches the name of the person requesting it).
The reset link contains the user ID and a reset token. The token expires after 2 hours if an email address is register, and expires after 48 hours if it is going through the webmasters.