search

bouncepaw / mycorrhiza

🍄📑 Filesystem and git-based wiki engine for the independent web written in Go and using Mycomarkup as its primary markup language.
https://mycorrhiza.wiki
GNU Affero General Public License v3.0
300 stars 26 forks source link

Changing passwords #211

Closed JacksonChen666 closed 9 months ago

JacksonChen666 commented 9 months ago

Seems like Mycorrhiza doesn't have the feature of changing passwords, for what I know.

Can be important because the password you used has been maybe leaked or something like that (accidentally pasted in wrong place).

(Would it be fine if I sent a patch (if I made one) on sourcehut even though I sent an issue on GitHub?)

Patch: https://lists.sr.ht/~bouncepaw/mycorrhiza-devel/patches/47102

bouncepaw commented 9 months ago

Sounds good.

Patches are totally fine.

JacksonChen666 commented 9 months ago

I'm about to start and...

Where do we even have a page for user account management?

I don't think there's any. Could I just place the change password page somewhere like /change-password or /.well-known/change-password (WIP spec) then deal with putting links after?

bouncepaw commented 9 months ago

Administrators can change users' groups and delete them at /admin/users. Does that count as user account management?

Following the standard sounds good.

JacksonChen666 commented 9 months ago

Administrators can change users' groups and delete them at /admin/users. Does that count as user account management?

What if a user wants to change the password themselves? Or delete their account themselves?

Now that I know about the admin user interface again, I will also add changing password in the admin interface.

Following the standard sounds good.

The endpoint is supposed to be a redirect, so my question is: What URL path should be used for the user changing their password for themselves? (We can't put the change password page at /.well-known/change-password cause the spec says no)

bouncepaw commented 9 months ago

What if a user wants to change the password themselves? Or delete their account themselves?

They would need a separate page for that.

What URL path should be used for the user changing their password for themselves?

/change-password or something. Maybe /settings/change-password, I want to have a /settings page one day.

JacksonChen666 commented 9 months ago

Maybe /settings/change-password, I want to have a /settings page one day.

Going with that.

JacksonChen666 commented 9 months ago

Should changing password be restricted to local accounts? I'm assuming yes for now.

Let me know about things I should know like Telegram authentication (should password changes be allowed)?

bouncepaw commented 9 months ago

Restrict to local, yes. Telegram users have empty passwords, their authentication is done through Telegram.

JacksonChen666 commented 9 months ago

Sent the patch

bouncepaw commented 9 months ago

The patch was applied, thank you!