request pwd reset token

[austinorr]

create "request reset token" button/ui

user requests reset token, system emails them a 1hr expiring token to reset their pwd. user navigates to page to enter new pwd.

@acang-gs let's flesh this out more too, the email could be a link to a route that has the token on it that the front end pops-off, or it can be a simple copy/paste exercise for user. currently it's the latter. let's discuss.

[acang-gs]

@austinorr including the token in a reset link sounds doable - is there a way for me to test email functionality locally or does this have to be done on the dev site? Also, is there a way to check whether the reset link has expired before submitting a password for reset? That way we can redirect the user to a page that lets them know that the link has expired.

[acang-gs]

As a user wanting to reset my password:

• I navigate (or am redirected) to the login page
• I enter my user email
• I click on the 'Forgot your password' link in the login form
• If my email has not been registered or is not a valid, I receive a message that the email I've entered is not associated with any registered user, or is not a valid email
• If my email registered, I receive a message that a reset link has been sent to my email, and that I should follow an attached link to reset my password
• I receive the reset email, and click on the link, which includes a reset token in the url
• I am redirected to a password reset page
• • if the reset token has expired, the page displays an expiration message (e.g. "We're sorry, this reset link has expired. Please attempt to reset your password again)
• • if the reset token is valid, I am shown a form that asks for a new password (with a confirmation password)
• I submit a new password, and am shown a message that the new password has been updated, and that I can return to the login page

[austinorr]

@austinorr including the token in a reset link sounds doable - is there a way for me to test email functionality locally or does this have to be done on the dev site?

Yes, i can give you the keys for your .env-dev

The backend is building and sending the email with the link, but the front end will need to 'catch' the token as a query param and then use it so the user doesn't have to copy/paste it into a form. We can work together on this, i have a reference implementation in WIP that i used to test the embedded links.

Also, is there a way to check whether the reset link has expired before submitting a password for reset? That way we can redirect the user to a page that lets them know that the link has expired.

maybe... we could add an 'expires_at' qparam that the front end can check, but we should likely not write a more general token checker into the backend.

[austinorr]

@acang-gs user forgot password flow (revised):

• click 'forgot password'
• enter email into single field form
• receive message that an email has been sent to the account holder with this email address. No warning or notice is given if the email is not associated with an account - that's a security breach

reset flow:

• user receives email with reset link
• linked page pulls the token and expiry stamp off the url qparams
• linked page presents two fields for resetting the password (one password, and one verify password)
• page posts token and new password to the auth/reset-password route
• if response == 200, user is redirected to login route.
• else user is ejected from the game forever (jk, they either submitted a bad password per our pwd validation, or their token has expired). re-route them to request reset form to enter their email again.