Open williamstein opened 1 year ago
-1 to the first, because of instinctive security concerns of mine. There is a slight possibility to send a password reset link to someone else. My thinking is, the process of resetting a password starts by entering the known and most likely correct email address into the application, then it checks if the address is known, and then sends the password reset.
For the case of API creation, I'm ok to make this password setting optional, though. Why? whoever sends the API call to create a user already checked that the email address is correct (or their domain is under their full control). So, e.g. field { reset_password: true }
(default false), which triggers a password reset token generation and inserts it prominently into the welcome email.
There is a slight possibility to send a password reset link to someone else.
That's true, though I don't at all see why it would be a security issue. Are you thinking of the following?
Is that the entire security issue?
In any case, since you like the API optional version, I'm certainly ok with that. No matter what, making it initially optional would be a good idea, since it minimizes any adverse impact.
Thanks for your feedback and thoughts.
Are you thinking of the following?
yes
When a new account is created with email foo@bar.com, we send that email a "welcome" and email verification link. It would be nice to also send a password reset link in that email. The reason is because if the account is created via an API call with a big random password, then the recipient of the email can set a password.
Alternatively, we could make it so that the page you see when you confirm your email address also gives you a clear option to set a new password. Then only one link is needed, and things are more likely to go well.
This would, e.g., be useful for 5x, so they don't have to send the password out as a separate email.
REQUESTED BY: https://5x.co/