Password resetting/creating

[Danwhy]

Required api:

• send reset password email
• send password creation email
  • to many users
• reset password
• create password

New User Flow

user signs up -> user is in db with no pw -> we want to send email to users without pw -> generate link for creating password -> send emails -> user clicks link -> is taken to page to create password

Change password functionality:

• Generate a token
• Hash and store in db, with an expiry of two hours (or longer for new users?)
• change password page sends new password and unhashed token to server
• token is checked against hashed version, and if correct, password is updated
• If user is logged in, log them out

Is there any difference between creating and updating a password? In append only, no difference in database updating, just user flow.

Email will have to be configurable, can we allow people to use any provider they want?

Links

https://www.troyhunt.com/everything-you-ever-wanted-to-know/ https://security.stackexchange.com/questions/117854/how-to-implement-forgot-password-functionality/117871 https://postmarkapp.com/guides/password-reset-email-best-practices

[nelsonic]

@Danwhy thank you for opening this issue. This is a good summary of what needs to be built for password reset.

If we can first create the Name https://github.com/dwyl/fields/issues/11 Email https://github.com/dwyl/fields/issues/12 and Password https://github.com/dwyl/fields/issues/13 in the Fields module/package, we can then render the password (create/reset) form using autoform.