Sometimes users forget their passwords and need a secure way to regain access to their accounts. A self-service password reset feature would add ease for users and time savings for support. Also, for when admin or support staff are working with a user and using the command line, they can use either the user email or username to get the app to send them a password reset link.
Acceptance Criteria/plan
Add a "Forgot Password" route. This route (or routes) would serve both API calls from admins using the command line and API calls via a web interface so users can click "I forgot my password." Either way, the route(s) would accept an email address to mail the reset link to. We might decide to allow admins to requst that reset via submitting username instead of email.
Create a secure password reset flow:
User requests password reset by entering their email.
System generates a unique, time-limited reset token.
Send a password reset link with the token to the user's email.
Provide a secure page for users to enter a new password.
Verify the token's validity before allowing password change.
Implement rate limiting on password reset requests to prevent abuse.
Log all password reset attempts for security auditing.
Ensure the new password meets the system's password strength requirements. If request coming from web interface, add some front-end JS to validate before allowing submission of the form.
Notify users via email when their password is changed.
Provide clear instructions and error messages throughout the process.
Background/need
Sometimes users forget their passwords and need a secure way to regain access to their accounts. A self-service password reset feature would add ease for users and time savings for support. Also, for when admin or support staff are working with a user and using the command line, they can use either the user email or username to get the app to send them a password reset link.
Acceptance Criteria/plan