search

c-topherl / brewCom

0 stars 0 forks source link

Forgot password function #100

Open joelmeister opened 8 years ago

joelmeister commented 8 years ago

When a user hits "submit" on the forgot password screen (after filling in email), I'm thinking we just send the user an email with a "reset" link where they can enter in their username and new password.

The reset link will contain a random ID that ties to a record in the database (password_reset_requests table) with a set time limit (10 minutes or something). We use this random ID to verify the request came from us and to retrieve their user id to verify in the next step. If the request ID is valid, allow them to enter current email address and set a new password. The email they enter here we then compare against the email in the database. After a successful password update, delete the record from the password_reset_requests table and make them log in again (to generate and retrieve new cookie).

The table would be:

password_reset_requests rid varchar(32) user_id int request_time timestamp

Something similar to (or exactly like) this link: https://stackoverflow.com/questions/1102781/best-way-for-a-forgot-password-implementation

Thoughts? Is this what you were getting at on this comment?

@c-topherl

c-topherl commented 8 years ago

Definitely part of it, ya. I also think they should be able to change their login username and the email on their account, though... what do you think?

joelmeister commented 8 years ago

The update_user function allows that. If you update the username you must provide the password in the request. You just need to make sure the user id is passed with it

c-topherl commented 8 years ago

So their current password is required with the request, no matter what data they're changing?

Edit: for updating customer info, which is really a different issue/thread.

c-topherl commented 8 years ago

For resetting password, I need 1) what you want to call the variable in the URL and 2) request format (assuming customer controller... what data/what do you want to call it?)

I started a branch, password_reset. My changes definitely aren't done yet, though.

joelmeister commented 8 years ago

Let's go with 

{
function: reset_password,
email:<email>
}

to the customer controller. "reset_password" to go along with the verb form of function requests and only email because a lot of times people will forget their username or something too. Email is a unique key on the table so we will be able to look up the user id on the back end without them having to have it in their browser or anything.