Feature: Reset forgotten password

[Quantum-Codes]

There are very important to implement and I think Change password should be given priority

[cruncher12]

I can reset that password if you message me on Discord. I am an admin.

[Quantum-Codes]

I can reset that password if you message me on Discord. I am an admin.

Thanks, now only change password feature needsd

[TurtleCode84]

Definitely a priority, but I need suggestions, how are we going to reset forgotten passwords? We could do a reset multiple ways:

• Email with link to change password (requires a new API endpoint, an SMTP service and warnings that not providing an email will prevent you from resetting your password) <-- Standard
• Admin approval (basically creates a new report, and an admin manually reviews it, resets the user's password, and emails them a temporary one, also requires user to have an email) <-- More resource-efficient, less time-efficient
• Some other way that doesn't require an email, if that's even possible and secure?

[cruncher12]

• Some other way that doesn't require an email, if that's even possible and secure?

We can store old passwords hashed and have it verify that is your old password. Kinda the way Chromebooks verify sign-in when you change your password.

[TurtleCode84]

But wouldn't that only work if you remembered your password? In that case you wouldn't have to reset your password because you wouldn't have forgotten it lol

On Wed, Oct 12, 2022, 3:35 PM cruncher12 @.***> wrote:

• Some other way that doesn't require an email, if that's even possible and secure? We can store old passwords hashed and have it verify that is your old password. Kinda the way Chromebooks verify sign-in when you change your password.

— Reply to this email directly, view it on GitHub https://github.com/TurtleCode84/tracktask/issues/74#issuecomment-1276647925, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZMRUPTVM6E6FUL4YVOVXSDWC4HJBANCNFSM6AAAAAARDIP4XY . You are receiving this because you commented.Message ID: @.***>

[cruncher12]

No, the password before the one you forgot.

[TurtleCode84]

Hmm, it could work, maybe something like a security phrase? But if you forget the security phrase then you have to get that reset 🤣

(Edit: Nevermind, super insecure)

Still a good idea though 👍

On Wed, Oct 12, 2022, 7:06 PM cruncher12 @.***> wrote:

No, the password before the one you forgot.

— Reply to this email directly, view it on GitHub https://github.com/TurtleCode84/tracktask/issues/74#issuecomment-1276820794, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZMRUPURZ2KLB5WVNNBBIALWC5AABANCNFSM6AAAAAARDIP4XY . You are receiving this because you commented.Message ID: @.***>

[cruncher12]

Maybe a reset file?

[cruncher12]

The security phrase could be encrypted/hashed maybe?

[Quantum-Codes]

A security phrase is even more insecure than a password since people will probably make easily guess able phrases.

[TurtleCode84]

Right, at that point you might as well make it a second password, and then what if you forget that?

[Quantum-Codes]

Making a second password is useless... May work but uh not ideal

[TurtleCode84]

Guess we have to get an SMTP 🙄

[TurtleCode84]

Guess we have to get an SMTP 🙄

In this case I'm going to have to push this feature back, even though it's "priority", I'm not sure if we'll have a spare endpoint once everything is in place so I want to wait.

[cruncher12]

We don't need to have an SMTP server… We could just have an MX record pointing to whatever we use. Or, we could just use ProtonMail or GMail. Anything really work fine if it has an SMTP or mail server to send it through. It is pretty easy to implement sending emails in Python, at least.

[TurtleCode84]

We don't need to have an SMTP server… We could just have an MX record pointing to whatever we use. Or, we could just use ProtonMail or GMail. Anything really work fine if it has an SMTP or mail server to send it through. It is pretty easy to implement sending emails in Python, at least.

Yeah, the only demotivator I have with going through the process is that a lot of mail services have either a really long verification time or they just block you and force you to email support & wait about a week for a response... We're using MX records right now for Cloudflare email routing, but that's about all it can do.

I'll try not to be lazy this weekend :P

[cruncher12]

What are we using right now? (for emails)

[Quantum-Codes]

What are we using right now? (for emails)

MX records

We're using MX records right now for Cloudflare email routing, but that's about all it can do.

[cruncher12]

What I was saying is what email service are using (GMail, ect. what?)

[cruncher12]

This next week, I'll try and make a PoC password reset thing in python. It should be too hard, but we'll see I guess.

[cruncher12]

Shouldn't*

[TurtleCode84]

[ What I was saying is what email service are using (GMail, ect. what?) ]

We aren't at the moment, the only email stuff we have is MX records that redirect mail sent to our domain addresses to my personal email, through Cloudflare.

On Sat, Oct 15, 2022, 7:54 AM cruncher12 @.***> wrote:

What I was saying is what email service are using (GMail, ect. what?)

— Reply to this email directly, view it on GitHub https://github.com/TurtleCode84/tracktask/issues/74#issuecomment-1279729845, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZMRUPVPYM4VWE56CYVVOWLWDKLQ5ANCNFSM6AAAAAARDIP4XY . You are receiving this because you commented.Message ID: @.***>

[cruncher12]

Oh, that make a bit more sense. :'D

[TurtleCode84]

Oh, that make a bit more sense. :'D

Sorry if I was confusing lol

[cruncher12]

Oh, its okay, no problem. It was like 6 in the morning so my brain ws not working. :cold_face:

[TurtleCode84]

Just migrated from Cloudflare's email routing to Zoho mail, so now I can both send and receive mail from the .tracktask.eu.org domain. I also should be able to make a mail sending API if I figure out how to use Oauth2.

[TurtleCode84]

Update on this, I'm getting SendGrid SMTP set up, we have exactly one API endpoint to spare so this may get pushed forward on the timeline.

[TurtleCode84]

Will focus on this after #227