Issues related to Auth

[tryyang2001]

Hi, I plan to append all the issues/bugs found related to the authentication in this issue.

So far there are some problems found:

• [x] If auth service is down for whatever reason, it will crash the current running server.

• we should make it fail gracefully and should not crash the server, this requires an update in the auth middleware code

• @tlyi has already been aware of this issue :)

• [x] Resetting password logic is weird:

• since now we have the auth working, I couldn't get back my favourite John Doe account xD. So I tried to reset the password.

• the page is not very descriptive actually. We should let the user knows that they should provide his registered email. Or if we don't want to do this, when I provide an email that does not exist in our database, we should modify the toast message to tell the user that hey, this account does not exist, instead of something went wrong...???

• @xingjie99 fyi

• [x] No go back option for reset password page:

• this is very sad, the moment when I entered the forgotPassword page, I can only navigate by changing the url, there is no other way that I can go back to login page... Please fix this for better UX

• @xingjie99 FYI

• [x] Error message for incorrect password:

• Although security is not our top priority, but I think we should maintain the good practice if it is not hard to follow. I think the error message for incorrect password should be changed to something else instead of letting the user knows that the password is incorrect.

• @xingjie99 fyi

[xingjie99]

• the page is not very descriptive actually. We should let the user knows that they should provide his registered email. Or if we don't want to do this, when I provide an email that does not exist in our database, we should modify the toast message to tell the user that hey, this account does not exist, instead of something went wrong...???
• @xingjie99 fyi

Would that be a security concern as well? If I am not wrong, for password reset, usually they will not tell you if the email does not exist in their account.

• [ ] No go back option for reset password page:
• this is very sad, the moment when I entered the forgotPassword page, I can only navigate by changing the url, there is no other way that I can go back to login page... Please fix this for better UX
• @xingjie99 FYI

Will include a button for backward navigation.

• [ ] Error message for incorrect password:
• Although security is not our top priority, but I think we should maintain the good practice if it is not hard to follow. I think the error message for incorrect password should be changed to something else instead of letting the user knows that the password is incorrect.
• @xingjie99 fyi

Okie noted, will update too

[tryyang2001]

Would that be a security concern as well?

Unlike telling the user that the password provided is incorrect, telling them the email has not been registered is relatively less dangerous. However, if you do think that it is inappropriate to let the user knows whether an account has been registered, we can construct the message like:

If an account with this email address exists, you will receive an email with instructions on how to reset your password.

instead of "Something went wrong". I think by this way, the toast message will be more informative.

Or maybe, on the reset password page itself, we can let the user knows that he should give a registered email. I am using a message generated by ChatGPT for example:

Please make sure you've entered the correct email address. If you have an account, you will receive a password reset email shortly.

I think we can also do something similar to this?