New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added code and setup for password reset #1
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{ | ||
"require": { | ||
"phpmailer/phpmailer": "^6.9" | ||
} | ||
} |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
<?php | ||
|
||
// Configuration of Mail Server | ||
|
||
return [ | ||
'smtp_host' => 'sandbox.smtp.mailtrap.io', // STMP Host Server | ||
'smtp_port' => '2525', // STMP Port | ||
'smtp_username' => 'xxxx', // STMP Username | ||
'smtp_password' => 'xxxx' // STMP Password | ||
]; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wait i left a comment where did it go?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i left a whole ASS comment and it just didnt send, man i really hate github, whatever ill just summarize what i said before
Your code is good however
Sending plaintext passwords is well bad, as anyone with access to the user's email can read the password. This can lead to unauthorized access if the user's email account is compromised.
My suggestion was;
Instead of generating a new password, the system generates a unique, cryptographically secure token. This token is sent to the user's email address and used to authenticate the password reset process. The token is temporarily stored in the user's record in the database, associating it with their account. A password reset URL is generated, which includes the token. The URL points to a new route (
/_reset
) that handles the actual password reset process. In this route, the user enters a new password, which is then hashed and stored in the database. The reset token is removed, disabling the password reset functionality for that token.Pros(yay);
Users(people like me) can easily update their passwords without having to manage or remember the previous one.
Users(people like me) can set their own
Cons(yes it has);
Implementing a token-based password reset process is more complex than simply generating and sending a new password. (might be? idk, depends on skill level i guess)
and well if tokens are not set to expire after a certain time or after they have been used, they could be used maliciously if intercepted. Therefore, it is essential to implement token expiration or a limited number of uses to ensure security. 👍
(theres probably more)
but your code is good(tested website) and like i said before i dont think anyone is that desperate(hopefully) and this is just a suggestion because yes your current code is good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A good suggestion, and would definitely be better security-wise. I will add it to the "to-do" list for this code. Right now, I just wanted to get it up and running so people could reset their own passwords without me having to do it for them (also bad security!).
If you can code this, please feel free to do so and send a PR for it. Otherwise, it will have to wait just a bit until I can get a few other things sorted.
I think I will add a note to the password reset, informing the user to please change their password after logging in, and not keep the temporary password. The "change password" code is another thing I eventually need to change, because the "old password" is hashed, but the new password is shown in the form as plain text, which isn't a good idea.