search

Infinite-Chess / infinitechess.org

Infinite Chess Web Server
https://www.infinitechess.org
GNU Affero General Public License v3.0
177 stars 40 forks source link

Password Reset #3

Open Naviary2 opened 3 months ago

Naviary2 commented 3 months ago

There is no automated way yet to reset a user's password when they forget it. Currently they have to email me, and I have to manually delete their account json data, ask them to recreate their account, then after I reinstate their account details.

Proposal

When you enter your password incorrectly, add a "Forgot password?" button that when pressed will ask for your username or email associated with your account, then send a password reset email to that user if they exist.

The link in that email leads you to a one-time use page to change your password.

Expire the link after 5m?

Validate their identity with their browser-id cookie.

Wyatt-Lutz commented 2 months ago

I concur, except it would be better to have the "Forgot Password" button always visible, as that is usually what users see on other websites. Otherwise, users may be confused where to reset their password if they have forgotten it entirely.

Also, we could implement a one-time code users receive after they enter their email/username, which they would enter on the password reset page. This could be added as extra security, or instead of the cookie, or not at all. Both security implementations work well.