Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password reset #63

Open
ilabacheuski opened this issue Apr 15, 2017 · 1 comment
Open

Password reset #63

ilabacheuski opened this issue Apr 15, 2017 · 1 comment
Labels
feature question

Comments

@ilabacheuski
Copy link

As was discussed in #55 there is a problem when someone stole your access token.
In passwordchange api we agreed to check the current user's (or admin's) password every request. But in password change api such approach doesn't work. If you reset password it means your current password is lost somehow.
Right know what I consider is to have an e-mail information about user to send an email with random token and store this token in Session for might be hour long.
Or disable this feature.
Or figure out some other method to do it.

Now it just generate random password if you are admin or signed in user, then send it back. So any who has token may just reset password than with help of this new one change the password.
@alewiahmed
Copy link

The user should send an email address to the password reset endpoint & if the email sent is in one of the users, the endpoint should send an email to the user. I don't know how you're gonna send email or if the client software is responsible to send an email, but that should be the steps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ilabacheuski @alewiahmed