search

YunoHost / issues

General issue tracker for the YunoHost project
72 stars 8 forks source link

Provide users with a way to reset their password #878

Open yunohost-bot opened 7 years ago

yunohost-bot commented 7 years ago
Original Redmine Issue: 878

Author Name: alexAubin

Continuation of https://github.com/YunoHost/SSOwat/issues/6

We need to have a way for users to reset/retreive their password. Easyiest way to do so: send a mail to the domain admin. Store a fallback mail address, in th case that admin couldn't contact the user IRL.

gnouts commented 5 years ago

What's the status of this issue ? Is it hard to implement, from a security perspective ?

Psycojoker commented 5 years ago

No one has been working on yet.

Technically it's no extremely hard since it has been done a lot of time already but we have YunoHost specific questions for that (like if you lost you sso password ... that also happen to be your email password... sending you en email is a bit pointless etc...)

gnouts commented 5 years ago

I understand. I was thinking of something that let users enable this feature. Enabling it would require the user to provide a recovery email which is not the yunohost one. It's something most users are used to, IMO.

(I'm surprised this issue is not requested more ^^)

Psycojoker commented 5 years ago

(I'm surprised this issue is not requested more ^^)

People tend to use YunoHost for a small group of user or only themselves in general, it's quite new that we have bigger scale usage '-'

alexAubin commented 5 years ago

Note that the issue is imho not trivial to solve : many people don't have a working email stack (either because they don't care so much about it, because they didn't set up the DNS records properly, or because their ISP doesn't allow to open port 25, or ...)

So sending an email to an external adress is not guaranteed to work ...

One can imagine fallback solutions such as having some sort of custom relay hosted on yunohost's project infrastructure (with various constraints to limit abuses). Or just send an email to the admin of the instance to get the password resetted (assuming the admin reads emails). Or yunohost could simply disable the recovery password thing automatically if it's able to diagnose that the mail stack ain't properly working / configured.

alexAubin commented 3 years ago

(Supposedly ljf is working on this)

zamentur commented 3 years ago

Exact, i am currently working on finding a way to specify a specific mail for recovery in ldap.

artybdrlt commented 2 years ago

Hello @zamentur! Have you found something yet regarding this issue?

alexAubin commented 1 month ago

Initial exploration was done in https://github.com/YunoHost/yunohost/pull/1322 and the person working on it should have a look before jumping into work

In particular, the _smtp_is_secured_enough(..) function at the very end of the diff