How can I build reset password functionality in Loopback 4

[baltameme]

Hi,

There any built-in component that can help in building the reset password functionality inside Loopback 4 user management?

[hacksparrow]

We don't have a built-in feature component, it can be done at the controller level too. Will add one in the example app later.

[baltameme]

Thanks @hacksparrow for replay. what about the logout functionality? is it the same thing if so. Could you please, share some resources about the best practices for invalidating JWT tokens especially if you are dealing with MongoDB, Typescript and Loopback 4?

[hacksparrow]

JWT is a self-contained self-validating token, it cannot be invalidated by any system. It becomes invalid if it is tampered with or reaches its expiry date.

To "log out" the user, just delete the token from the client. However, if there is a copy of the token elsewhere, it will continue to work till the expiry date.

More about JWT invalidation:

• http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
• https://medium.com/devgorilla/how-to-log-out-when-using-jwt-a8c7823e8a6
• https://stackoverflow.com/questions/21978658/invalidating-json-web-tokens

@strongloop/loopback-maintainers Use of JWT can be confusing and "unpleasant" for some, maybe we should use the conventional cookie-based session in the example app.

[dougal83]

@baltameme I made an example a while ago combining Loopback 4 & Angular that encompasses a typical client logout function.

I'm going to create an example(WIP) combining Loopback 4 and Angular that will include user registration and password reset involving email confirmation if that is of interest.

[baltameme]

Cool, thanks @dougal83 so much.

[argupta23]

@dougal83

Is there an updated example that covers this subject?

Thanks

[dougal83]

Hi @argupta23 I'm unaware of an updated example for password reset.

Hey @hacksparrow @jannyHou, are there any resources that cover password reset?

[hacksparrow]

Not yet, will open an issue.

[rajeshwarsingh]

@hacksparrow I am also looking for the recover and update profile too, Please help us.

[argupta23]

@dougal83 @hacksparrow I have looked at the update that was recently made to loopback-shopping-example related to this request.

Let me clarify what the request was.

The request was for Forgot-Password (Password Reset) where in user does not remember his password. One of the ways to solve this would be for the UI to prompt user to enter "email" and then generate a "Reset Token" in the background that would be emailed back to user. On user click it would trigger a connection back to the UI or LB backend where one should perform a silent check of the "Token" validity and on success prompt the user to enter his new password.

It looks like somewhere the message for convoluted and what was implemented is "Change Password" where the user is already logged in and is being termed as password-reset within the example.

Also I feel the implementation for Change Password is a bit flawed. In the current state after the change a new AccessToken is generated which traditionally is not the case. Best Practice should be to logout the user.

Please let me know your thoughts.

[mrmodise]

@dougal83 @hacksparrow I have looked at the update that was recently made to loopback-shopping-example related to this request.

Let me clarify what the request was.

The request was for Forgot-Password (Password Reset) where in user does not remember his password. One of the ways to solve this would be for the UI to prompt user to enter "email" and then generate a "Reset Token" in the background that would be emailed back to user. On user click it would trigger a connection back to the UI or LB backend where one should perform a silent check of the "Token" validity and on success prompt the user to enter his new password.

It looks like somewhere the message for convoluted and what was implemented is "Change Password" where the user is already logged in and is being termed as password-reset within the example.

Also I feel the implementation for Change Password is a bit flawed. In the current state after the change a new AccessToken is generated which traditionally is not the case. Best Practice should be to logout the user.

Please let me know your thoughts.

Hi @argupta23 thanks for looking into this. Please feel free to open a new issue with more details or raise a PR to solve this specific use case. Thanks

[dougal83]

I think this would also make a good opportunity to make an example of how to send email via a package such as nodemailer. Alternatively, the example could be demonstrated here within the functionality to reset a password.

[mrmodise]

I don't mind adding to this or creating a new endpoint but it would be best discussed in a new issue