Open dmtroyer opened 8 years ago
issue is here: https://github.com/saxifrage/cityasacampus/issues/367
@dmtroyer okay so I started on this and immediately ran into something that I wanted to discuss with you before moving forward.
Basically implementing the "Forgot Password" stuff is simple by calling $auth.requestPasswordReset(passwordResetPayload)
. However, the email that goes to the user contains a customizable link for the user to reset their password... for example:
<a href="http://{host}/dashboard/users/password/edit?reset_password_token=YcKXiKpWyeUsrh7EuPL1">Change my password</a>
Assume that we change that url to http://{host}/#/users/password/reset?reset_password_token=YcKXiKpWyeUsrh7EuPL1
and on the Angular side, bring in the value of the token via the $routeParams
...
Now see the following doc: https://github.com/lynndylanhurley/ng-token-auth#authupdatepassword (the function we'd most likely use to handle this). I have 2 problems with it:
reset_password_token
.... am I missing something or will we have to call a devise endpoint manually with this information?
@MatthewVita I gotcha...
The link in the email shouldn't be to the page where the user will edit their password, but rather to the api/v1/auth/password/edit
route, with the reset_password_token
and redirect_url
params set. Once the user clicks the link and makes that GET
request, it authorizes them to edit their password, authenticates or quasi-authenticates them and forwards them to redirect_url
, which should be where the user edits their password using the $auth.updatePassword
method without needing a current password.
Granted, I didn't test any of this so take it with a grain of salt :-), but that should get you down the right track.
The docs on the devise-token-auth
side can be quasi helpful.
@dmtroyer thanks for the rundown... things are a tad more clear now. I read over the devise-token-auth code a bit and it seems like the two major drivers of this are:
I'm not sure we'll get the authentication/quasi-authentication we're looking for OOTB as you described it, but playing around/reading more into the docs/code will be the only way to find out.
Will update with my findings.
View of note:
app/views/devise/passwords/edit.html.erb
(need to clear this out since we're going to rely on the redirect alone)
Trying out the example app (http://ng-token-auth-demo.herokuapp.com/) to see the strategy there.
The reset password link in the email is:
http://devise-token-auth-demo.herokuapp.com/auth/password/edit
with the following query params:
after clicking it, it is:
...here's the request when PUT
ing the new password
Okay, so I'm on the right track with calling out a passwordResetSuccessUrl
on the frontend because it is
[...] the URL to which the API should redirect after users visit the links contained in password-reset emails.
...however, even when providing this url, the redirect_url
never seems to be included in the email link. For example "www.google.com" is correctly picked up in the headers but is not added into the config
query string:
...
provider: email
redirect-url: www.google.com
client-config: default
<p>Hello asdf@asdf.com!</p>
<p>Someone has requested a link to change your password. You can do this through the link below.</p>
<p><a href="http://localhost:3000/dashboard/users/password/edit?reset_password_token=wkrTqovVJ2frFKX3934s">Change my password</a></p>
Therefore, I am stuck at the part where the "user is redirect to client..." of the following figure:
As seen below, using the live sample app, the redirect_url
is in place and is redirecting correctly. However, the "one time auth" isn't working; one cannot reset the password :(
(right click to view full size gif)
As seen in our app, the redirect_url
isn't being placed in the url correctly. User can't reset their password on whatever custom URL we want them to be directed to (in our case it will be something like http://localhost:3000/#/users/password/reset?allow_reset=yes
, but I'm just using http://www.google.com
for now)
(right click to view full size gif)
...As such, I'm blocked on this feature. I'm going to submit an issue to the folks at ng-token-auth and will report back.
@timothyfcook, @dmtroyer
@MatthewVita I took a quick peek and added the devise_token_auth mailer views which include the redirect_url
param and things seem to be happier. I also had roll back to the default passwordResetSuccessUrl
as URI
didn't seem to like it without a prepending http://
. Lastly, I had to comment out some of the old devise configuration on /dashboard as it was conflicting with the edit_password_url
helper in the mailer view.
That should help get you on the right track.
@dmtroyer you're awesome. I missed this because I was focused on reviewing the code over at the ng-token and gem repos and didn't see that our view was overriding the defaults >.<.
However, this is still problematic (see the "UPDATE" I added to the issue) because the route gets messed up (https://github.com/lynndylanhurley/ng-token-auth/issues/249). And even with that, the other issue I opened still needs address (https://github.com/lynndylanhurley/ng-token-auth/issues/248)
This feature is blocked for now. I'm going to "groom" our MVP backlog and probably start on the dashboard > location area :)
Start on password reset.