Closed riverrun closed 5 years ago
Fixed
Is there a way to reset the password before the account is confirmed? Or even confirm the account when the reset key is submitted for the reset (after receiving the email and following the link)?
@carterbryden this is possible, but it is not really recommended. Here are a couple of links providing you with more information about this - https://ux.stackexchange.com/questions/30249/how-to-handle-forgot-password-when-user-has-not-confirmed-email and https://ux.stackexchange.com/questions/30249/how-to-handle-forgot-password-when-user-has-not-confirmed-email
But if you still want to do this, one way is to create a custom PassReset module:
defmodule MyApp.Confirm.PassReset do
use Phauxth.Confirm.Base
@impl true
def report({:ok, user}, meta), do: log_output(user, meta)
def report(result, meta), do: super(result, meta)
defp log_output(%{reset_sent_at: nil}, meta) do
Log.warn(%Log{message: "no reset token found", meta: meta})
{:error, Config.user_messages().invalid_token()}
end
defp log_output(user, meta) do
Log.info(%Log{user: user.id, message: "user confirmed for password reset", meta: meta})
{:ok, Map.drop(user, Config.drop_user_keys())}
end
end
The above module is just an example - the important thing is that you create a module without the confirmed_at: nil
check.
If you have any further comments / questions, just let me know.
I just stumbled over this and asked myself the question why you wouldn't allow to reset an unconfirmed user account password. As someone wrote in the mentioned discussion on SO
If user forgetting his password:
User automatically confirms, that the mail address is his own mail address, when he request for the "Reset Password Link", since he can only activate the reset password link through his email, and he won't get the key otherwise, and as i said before if the mail or mail server are compromised, then it's over for him either way.
So are there any other security concerns on allowing this?
I spent some time looking into this in the past, and it was difficult to get a definitive answer. However, it does seem that the general advice is to not allow an unverified email to be used for password reset.
There was also a question about this on quora, and it seems that Instagram also do not allow this. One of the answers there mentions that this helps prevent accounts being stolen, but unfortunately, it does not go into details about how an account can be stolen.
In situations like this, I think it's better to be safe than sorry.
I would like feedback on this issue - about the default behavior of the Confirm.PassReset module. Should it also check the confirmed_at status as well?