MatthewVita
commented
8 years ago issue is here: https://github.com/saxifrage/cityasacampus/issues/367
Open dmtroyer opened 8 years ago
MatthewVita
commented
8 years ago issue is here: https://github.com/saxifrage/cityasacampus/issues/367
MatthewVita
commented
8 years ago @dmtroyer okay so I started on this and immediately ran into something that I wanted to discuss with you before moving forward.
Basically implementing the "Forgot Password" stuff is simple by calling $auth.requestPasswordReset(passwordResetPayload). However, the email that goes to the user contains a customizable link for the user to reset their password... for example:
<a href="http://{host}/dashboard/users/password/edit?reset_password_token=YcKXiKpWyeUsrh7EuPL1">Change my password</a>
Assume that we change that url to http://{host}/#/users/password/reset?reset_password_token=YcKXiKpWyeUsrh7EuPL1 and on the Angular side, bring in the value of the token via the $routeParams...
Now see the following doc: https://github.com/lynndylanhurley/ng-token-auth#authupdatepassword (the function we'd most likely use to handle this). I have 2 problems with it:
reset_password_token.... am I missing something or will we have to call a devise endpoint manually with this information?
dmtroyer
commented
8 years ago @MatthewVita I gotcha...
The link in the email shouldn't be to the page where the user will edit their password, but rather to the api/v1/auth/password/edit route, with the reset_password_token and redirect_url params set. Once the user clicks the link and makes that GET request, it authorizes them to edit their password, authenticates or quasi-authenticates them and forwards them to redirect_url, which should be where the user edits their password using the $auth.updatePassword method without needing a current password.
Granted, I didn't test any of this so take it with a grain of salt :-), but that should get you down the right track.
The docs on the devise-token-auth side can be quasi helpful.
MatthewVita
commented
8 years ago @dmtroyer thanks for the rundown... things are a tad more clear now. I read over the devise-token-auth code a bit and it seems like the two major drivers of this are:
I'm not sure we'll get the authentication/quasi-authentication we're looking for OOTB as you described it, but playing around/reading more into the docs/code will be the only way to find out.
Will update with my findings.
MatthewVita
commented
8 years ago View of note:
app/views/devise/passwords/edit.html.erb (need to clear this out since we're going to rely on the redirect alone)
MatthewVita
commented
8 years ago Trying out the example app (http://ng-token-auth-demo.herokuapp.com/) to see the strategy there.
The reset password link in the email is:
http://devise-token-auth-demo.herokuapp.com/auth/password/edit with the following query params:
after clicking it, it is:
...here's the request when PUTing the new password
MatthewVita
commented
8 years ago Okay, so I'm on the right track with calling out a passwordResetSuccessUrl on the frontend because it is
[...] the URL to which the API should redirect after users visit the links contained in password-reset emails.
...however, even when providing this url, the redirect_url never seems to be included in the email link. For example "www.google.com" is correctly picked up in the headers but is not added into the config query string:
...
provider: email
redirect-url: www.google.com
client-config: default
<p>Hello asdf@asdf.com!</p>
<p>Someone has requested a link to change your password. You can do this through the link below.</p>
<p><a href="http://localhost:3000/dashboard/users/password/edit?reset_password_token=wkrTqovVJ2frFKX3934s">Change my password</a></p>Therefore, I am stuck at the part where the "user is redirect to client..." of the following figure:
MatthewVita
commented
8 years ago As seen below, using the live sample app, the redirect_url is in place and is redirecting correctly. However, the "one time auth" isn't working; one cannot reset the password :(
(right click to view full size gif)
As seen in our app, the redirect_url isn't being placed in the url correctly. User can't reset their password on whatever custom URL we want them to be directed to (in our case it will be something like http://localhost:3000/#/users/password/reset?allow_reset=yes, but I'm just using http://www.google.com for now)
(right click to view full size gif)
...As such, I'm blocked on this feature. I'm going to submit an issue to the folks at ng-token-auth and will report back.
@timothyfcook, @dmtroyer
MatthewVita
commented
8 years ago dmtroyer
commented
8 years ago @MatthewVita I took a quick peek and added the devise_token_auth mailer views which include the redirect_url param and things seem to be happier. I also had roll back to the default passwordResetSuccessUrl as URI didn't seem to like it without a prepending http://. Lastly, I had to comment out some of the old devise configuration on /dashboard as it was conflicting with the edit_password_url helper in the mailer view.
That should help get you on the right track.
MatthewVita
commented
8 years ago @dmtroyer you're awesome. I missed this because I was focused on reviewing the code over at the ng-token and gem repos and didn't see that our view was overriding the defaults >.<.
However, this is still problematic (see the "UPDATE" I added to the issue) because the route gets messed up (https://github.com/lynndylanhurley/ng-token-auth/issues/249). And even with that, the other issue I opened still needs address (https://github.com/lynndylanhurley/ng-token-auth/issues/248)
This feature is blocked for now. I'm going to "groom" our MVP backlog and probably start on the dashboard > location area :)
Start on password reset.