Feature: Reset password

[tzeumer]

It would be nice if PAIA had a method for resetting a (forgotten) password. This requires that an email (or maybe a mobile number for sms in the future) has been set where a verification/approval link can be send to the patron.

(Well, thinking of it, some kind of administrativ/admin reset for a user id would be really nice too. But this is really only - but in fact - interesting if you have to reset it programmatically in multiple system - like ldap - at the same time).

[nichtich]

I think this feature would not be placed well in PAIA for two reasons:

• Password reset via API cannot be confirmed for security reasons, the API answer must always be the same. Otherwise it would be possible to probe user ids and/or email. This limits the usefulness of PAIA API method to reset a password

• Setting of the password needs to be done in a backend anyway: You don't send passwords by mail but an expiring link to a web interface where to type in a new password. If a web interface with connection to the backend is needed anyway, why not also use it to reset the password in the first place.

[nichtich]

We could send a valid token for method change but this method requires old_password. Anyway, the application flow to reset a password is:

1. request password reset (the feature requested)
2. get a secret that allows to set a new password (by mail, by SMS, by pigeon...)
3. optionally legitimate by other means (security question...)
4. set new password

How about this enhancement:

• Make request field old_password optional on method change (but make clear that PAIA servers can choose to require it). Application then need a way to get a valid tokens with change_password scope to set new passwords.

• Add a public reset endpoint to PAIA auth with scope reset_password. This method is not designed to send emails but only to reset passwords. PAIA Server implementations can choose how to actually do this reset (send an email, send a letter with a printed code, call the user by phone...), this is beyond the specification.

Your PAIA Server should then get use a client credential to deliver tokens with scope reset_password so only trusted applications can call this method. In this case we can also define a more useful response.

Expiration of tokens needs to be considered as well.

[nichtich]

Related #60

[tzeumer]

Valid points. At the core (pa-I-A) modifying an account is probably not an aim of the api. Still, since changing a password already is possible (and thus straying from the "I-only" paradigm), resetting it would feel pretty much right to me anyway :)

I think the suggestion sounds promising. One could pretty easily implement a reset form, get a token and send the link containing this token to the user. This has the big advantage that multiple authentification sources (LBS and LDAP for us) could be populated in a standardized way, even if the LBS password "encryption" algorithm would change in the (maybe near) future.

But granted, this might be a pretty special use case and (in respect to the LBS) most system administrators might be happy with the (more or less recent implementation of the) inbuilt password reset method.

[nichtich]

So I'll put this into the waiting queue until someone actually needs the feature.

[tzeumer]

As of 2017-09-19 and accordingly to a LBS Jira ticket (link; closed access) "A new secure "hash" procedure for the user password in LBS4/Loan4 is in development and the solution version will be announced soon." - this would be the time for us :)

[nichtich]

The workflow might be:

1. Trusted application A initiates password reset (via client credential token with scope reset_password)
2. PAIA server receives password reset request and notifies trusted application B
3. Trusted Application B sends message to the user for instance by mail
4. User gets the message and starts to interact with Trusted application C (e.g. a web form to type in a new password)
5. Trusted application C changes the password via PAIA server (via client credential token with scope change_password)

Application A, B, and C might be identical. Open question: should application C be able to change passwords of all users just with its client credentials? Of no, the PAIA server could issue a specific token with scopes read_patron and change_password and include this token with the notification of application B. The token will expire after a fixed time.

[jschultze]

So I'll put this into the waiting queue until someone actually needs the feature.

Some libraries in the beluga core context would welcome this feature very much!

[nichtich]

What exact feature do libraries actually want? Can you give a sample query and expected outcome? Something like described at https://stackoverflow.com/questions/3077229/restful-password-reset?

[jschultze]

It is not yet planned on a technical level, but there is need for a "Forgot your password?" link on the VuFind / ... login dialogs. By now those links always redirect to a similar function of the old OPAC systems, but the users should be kept in the same system.

[nichtich]

I suggest to add a PAIA auth method reset and a new scope reset_password

purpose Reset password of a patron

URL https://example.org/auth/reset

request parameters: patron identifier

response fields: patron identifier (mandatory), message (optional)

On success, the PAIA auth server initiate a password reset by means not defined in this specification (e.g. mail). The server SHOULD also create a notification when a password has been resetted.

A token with reset_password scope can be obtained via login method, for instance with client credentials or with unrestricted with patron identifier and empty password.

[nichtich]

Specified but not published yet (1.4.0)

[jaohbib]

Is this feature implemented or only specified?