Permalink
Fetching contributors…
Cannot retrieve contributors at this time
63 lines (43 sloc) 2 KB

Reset Passwords

When a user forgets their password, the best solution is to send them an email containing a link that allows them to create a new one. AuthN ensures that the forgotten password process does not allow attackers to enumerate user accounts while provides a secure reset token to your application for delivery.

Configuration

Implementation

Backend

Your application must implement an endpoint (secured by SSL & HTTP Basic Auth) that expects a POST request with account_id and token params. It should use the account_id to decide where to deliver the token.

For example, a Rails application might use these params to send an email:

class AuthnController < ApplicationController
  def password_reset
    @user = User.find_by_account_id(params[:account_id])
    AccountMailer.password_reset(@user, params[:token]).deliver_later
  end
end

AuthN

Set APP_PASSWORD_RESET_URL with the full URL of your password reset endpoint. For the example above, it might look like:

# development
APP_PASSWORD_RESET_URL=http://localhost:3000/authn/password_reset

# production
APP_PASSWORD_RESET_URL=https://user:pass@myapp.io/authn/password_reset

Frontend

First, create a place for users to begin the process:

  1. Create a form where the user may enter an account email.
  2. Submit the email to AuthN. Note that AuthN always reports success.

Then, create a place for users to continue the process after clicking through your email:

  1. Create a form where the user may enter a new password. This form needs the token that your app sent to the user earlier.
  2. Submit the token and new password to AuthN.
  3. If successful, the user will be logged in.

Related Guides