Comments (19)
I put it in the subject line, but forgot to mention that the link to reset the password should expire after a few hours.
from userfrosting.
I agree. It might also be worth implementing an additional level of identity verification, such as asking them to enter their username, before allowing them to reset their password (after the reset link has been sent; see the flowchart at the bottom of http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html).
Would you want to take charge on implementing this feature?
from userfrosting.
I can, although it might be several months till I can finish it. So if anyone is really anxious and wants to take it, let me know.
from userfrosting.
Wouldn't it be easier to send the auth code to reset the password and when the user click the link we check too see how long it's been since the auth key was sent if say more then 6 hours or whatever time frame make them re validate and start again?
from userfrosting.
@Soupala thanks! I'm going to be working mainly on the auth system over the next few weeks, so maybe after that would be a good time to implement this feature.
@lilfade yes, we should definitely have an expiration time for the auth keys. But, requiring an extra piece of information would help in the event that the user's email account has been compromised somehow.
from userfrosting.
Maybe some password reset question could be implemented eg. "Whats your favorite color" or "What hospital were you born in" ect. most people won't forget such question as these as easily as there password.
from userfrosting.
Yeah, we could do something like that, although we'd need something difficult for a hacker to glean from peoples' social media accounts. See http://goodsecurityquestions.com/. We need questions that people won't forget, are universally applicable, and cannot be easy deduced from social media.
from userfrosting.
We could also possibly make the questions a feature that admins can configure themselves ;-)
from userfrosting.
Well we could have the user set the question and when the user requests a lost password we could have them choose the question say using radio boxes with 2 other questions if they select the right question and provide the answer as well. We could do this 2 time and have 5 questions from the user this would make it pretty secure I'd say, any ideas?
from userfrosting.
tricky issue. If we leave it to the users to create their own, we can't
trust they'll create good ones. But on the other hand, if we come up with
a list of questions that can't easily be guessed or gleaned from stolen
documents, that would be good.
On Wed, May 7, 2014 at 9:38 AM, Alex Weissman [email protected]:
We could also possibly make the questions a feature that admins can
configure themselves ;-)—
Reply to this email directly or view it on GitHubhttps://github.com//issues/22#issuecomment-42450947
.
-Mica
Mica Cardillo
soupala.com
@Soupala http://www.twitter.com/Soupala on Twitter
Profile http://www.linkedin.com/pub/mica-cardillo/13/b37/a35 on LinkedIn
541.840.7245
from userfrosting.
I updated the lost password page need to make a few fixes and drop alot of debug code but basically i changed it so there is a configurable time setting (by admin) for passwords to expire. When you get the email it will direct you to the page to change your password rather then send you a password. And to change the password you will also need to varify the username associated with the activation token.
Just need to touch everything up and we can probably close this feature as well.
from userfrosting.
Actually i need to do some work on this still to make sure everything is working before i make a pull but that should happen today sometime ^_^
from userfrosting.
Sweet! I'll be gone for the weekend, if I don't get a chance to look at it before I leave, I'll see it on Monday :-D
from userfrosting.
Thats cool, at the moment its really rough and i still need to fix it up but i finally got the forgot_password.php to load 2 forms and process it with the js depending on what form loaded. It works though just gonna rewrite it a little bit to make it all work a bit better ^_^. yea no rush on this one though im not sure how this weekend will work out for me yet may have time or may not xD
from userfrosting.
Ok this should all work wanna check this out (https://github.com/lilfade/UserFrosting/compare/alexweissman:butterflyknife...master) and let me know what you think of the changes and if you think we need anything else added. I still have to add the new msgs to the lang array but thats about it i think.
from userfrosting.
Nice, looks fantastic. This is getting me to thinking, that rather than keeping all of these seldom-used variables (activation requests, password requests, etc) directly in the user table, we could keep them in a separate table. Then we could keep a sort of history of account events for users, and the user table would be less cluttered.
from userfrosting.
did you just want to use something like this then: ?
User | User Extra |
---|---|
id | id |
user_id | |
user_name | activation_token |
display_name | last_activation_request |
password | lost_password_request |
lost_password_timestamp | |
active | |
title | |
sign_up_stamp | |
last_sign_in_stamp | |
enabled |
or maybe we can do something like
User Extra | User Extra 1 | User Extra 2 |
---|---|---|
id | 1 | 2 |
user_id | 1 | 2 |
request_name | lost_password_request | activation_token |
request_value | 1 | b20913e533fd20dade5c03e0d46a995c |
only issue i can see is if we hold all values of a user's request is we might end up having a very long table of data but we could setup a function to clear this table on a set schedule.
from userfrosting.
Hmm, I like the second although we'd need every entry to have a timestamp so we can identify the most recent value. Let's wait on this, it's not critical to pushing butterflyknife. We'll try to gauge what people want for future releases.
from userfrosting.
Implemented in butterflyknife
.
from userfrosting.
Related Issues (20)
- RequestSchema constructor fails silently on bad filename HOT 4
- Missing default permission HOT 6
- [V4 & V5] HTML in `page_description` block bleed in the template
- [FR] Order migrations by sprinkle HOT 3
- Blank user alert on account creation, when UF5 can't connect to SMTP HOT 1
- [Sprinkle-Admin] User_defaults.group doesn't work on Form "Create User" HOT 3
- [Bug] Default handling for "renderError.ufModal"
- Auto publish npm version via GitHub Action
- Add PHP 8.3 official support and testing HOT 1
- Update to Laravel 10 HOT 1
- Possible Security issue, but could be just my environment. HOT 3
- Test against MariaDB
- Editing a role permissions erase all permissions HOT 1
- [UF5] AppController says "safe to be deleted", but this breaks 4 routes HOT 2
- Dockerfile - npm missing from the App Image HOT 1
- [5.0] Two sprinkles can't have the same name HOT 3
- Remove index named route dependency in Admin / AdminLTE sprinkle HOT 1
- [Feature request] Logout all users / specific user from all device
- How to make a good app unusable for 90% of developers HOT 1
- [Bug][Fortress] YAML validator with no attributes passes null parameter, causes argument type error at runtime HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from userfrosting.