Reset password page

[FroMage]

We need a way for users to reset their passwords if they forget it. They need a combination of user name and email. We generate a new UUID in a new column in User.passwordResetConfirmation (check db column name size limit), and when the user clicks on the confirmation link, that includes the UUID we allow him to enter a new password.

Password resets require a special security logging like failed logins so that (non-distributed) brute-force can be filtered out.

[thradec]

Should be done. I added column passwordResetConfirmationDate in addition, so I can check link expiration. When you wrote "special security logging", did you mean Util.logSecurityAction or something else?

[FroMage]

so I can check link expiration

Is this important? Why?

did you mean Util.logSecurityAction

Yes

[thradec]

Is this important? Why?

I didn't want allow, that the link was valid forever.

[FroMage]

OK, fair enough.

[FroMage]

I think we also need to log requests to change the password, not just successes. So any request to change the password, if the username and email are both non-empty (doesn't matter if they are valid or not). This way we can configure fail2ban to ban people who try to brute-force this.

For the same reason, I want to log requests to /reset-password-complete/{UUID} that are not valid. Again to make sure people don't brute-force it.

[thradec]

Comments processed.

[FroMage]

Thanks!