Forgot password feature

[teosarca]

Is this a bug or feature request?

FR
backend task: metasfresh/metasfresh-webui-api-legacy#1006

What is the current behavior?

Which are the steps to reproduce?

What is the expected or desired behavior?

Implement forgot password functionality as follows.

Login screen: we need the Forgot password link

Page: Send reset password instructions

In this screen user shall enter his/her email address and then press on that button to request an email with reset password link.

When user presses the button:

• frontend shall use following API to send the password reset email: http://w101.metasfresh.com:8081/swagger-ui.html#!/login-rest-controller/resetPasswordRequestUsingPOST
• if the endpoint returns 200 OK then frontend shall hide the email field & button and it shall display the {{webui.forgotPassword.resetCodeSent.caption}} message.
• if the endpoint returns an error, the error shall be displayed to user (e.g. email not found)

Page: Set the new password

In previous step, user got an email with password reset instructions.
There he/she got the password reset link which looks like:
https://w101.metasfresh.com:8443/resetPassword?token=ecde7596-7e29-4f85-81f1-502b7f84b1f7
Remark:

• the frontend shall render the password reset page on "/resetPassword" path
• the password reset token is provided as parameter

Using that token the frontend shall render the password reset page:

To fetch user's full name and email please use: http://w101.metasfresh.com:8081/swagger-ui.html#!/login-rest-controller/getResetPasswordInfoUsingGET

!!! Don't show the user eMail adress on the password change screen !!!

To fetch user's avatar please use: http://w101.metasfresh.com:8081/swagger-ui.html#!/login-rest-controller/getUserAvatarUsingGET which will return the avatar picture if available.

After user is filling the new password and he/she is retyping the new password, frontend shall validate if the new password and retyped password match. If not, it shall display the {{webui.forgotPassword.error.retypedNewPasswordNotMatch}} message and the button shall not be active.

If everything is OK, frontend shall call http://w101.metasfresh.com:8081/swagger-ui.html#!/login-rest-controller/resetPasswordCompleteUsingPOST endpoint in order to reset the password.

That endpoint might return an error (e.g. password is not valid). That error shall be shown.

In case everything is OK, the user will be logged in and the endpoint will return EXACTLY the same as http://w101.metasfresh.com:8081/swagger-ui.html#!/login-rest-controller/authenticateUsingPOST .
Frontend shall work exactly the same as on login.
If the loginComplete property is true then user is logged in and the main page shall be displayed.
If the loginComplete property si false then the "pick role screen" shall be displayed.

NOTE: internally webui messages are prefixed with webui. but when we provide them to frontend we strip out the webui. prefix. When writing this concept I forgot about that, so that's why all the messages are prefixed with webui. (see http://w101.metasfresh.com:8081/rest/api/i18n/messages?filter=forgotPassword)

[metas-mk]

w/ @teo Decided to not show the user eMail address on password change screen.

[siemiatj]

@teosarca @metas-mk 3 things :

1. The passcode sent message seems a bit long. Should we make it shorter, bigger button, bigger window AND button ?

2. All the error messages come in German. Is it fixable on the backend ?

3. What should happen if user is redirected to /resetPassword?token=<token> and the token is invalid (for instance user sent himself two codes and clicked the older one) ? Should we redirect him back to the /forgottenPassword form and show some custom message about token being invalid ? Redirect back to login ? Stay on /resetPassword and show message ?

[siemiatj]

Forgot about the fourth thing ;) The avatar request returns JFIF data that frontend cannot really display properly using base64. Can we just get a bes64 encoded stream instead ?

[teosarca]

@siemiatj

1. IMHO that message shall not displayed on a button but in some div/paragraph. There is no action required from user. We are just informing the user that he/she got an email and he/she will click on the link from that email and will continue from there (in a new browser tab/window).

2. good point. I shall use the user's language. Atm we are doing this, but after user is logged in.
   But I think it would make sense to use user's language even in this case.
   Have to think how to do it.

3. The endpoint will fail with some error message. I think we shall show that error message to user and have a button to go back to Forgot password page.

The avatar request returns JFIF data that frontend cannot really display properly using base64. Can we just get a bes64 encoded stream instead ?

let's talk about this. But that endpoint returns a real picture same as the other image endpoints that we have returns.

[metas-Kay]

Hi,
when I attempt to log in on https://w101.metasfresh.com:8443/ without Login and/or Password, I get a long error message like this:

instead of something like this:

Not sure, if this issue exists for other instances, too. Just stumbled upon it and thought I'd mention it. (:

[metas-dh]

Results of IT1
tested in release

1. Forgot password link in Login Screen: OK

2.. click Forgot Password link:

• screen opens to enter email address, in .../forgottenPassword: OK
• email address suggested after entering the first letters: OK i think?

3. info about email with link for resetting PW being sent (just info, not a button): OK
4. email for resetting PW: only text, no link included?
   

[teosarca]

@metas-dh

email address suggested after entering the first letters: OK i think?

yup, it's ok. that's ur browser...

email for resetting PW: only text, no link included?

that's might be a backend issue.... but I think it's only a config issue.
is the webui.frontend.url sysconfig set?
It shall be set to something like https://mf15adit.

[metas-dh]

is the webui.frontend.url sysconfig set?

no, it wasn't, got an email with the correct link now after setting it.. thx for the hint.

[metas-dh]

continued IT1 (in release)

4. email for resetting PW: link included, opens /resetPassword?token site: OK

• don't show the user eMail adress on the password change screen: OK, just the user name and user avatar were shown
• if avatar is not available: displayed avatar OK like this?
  

5. add a new PW twice, OK:

• if new password and retyped password don't match:
  • "Retyped new password does not match.": OK
  • button for logging in not active: OK
• new password and retyped password match:
  • loginComplete property is true then user is logged in and the main page shall be displayed: OK
  • loginComplete property is false then the "pick role screen" shall be displayed: OK
• if new PW was set already and user is logged in: "Verbindungsproblem" and error msg: "Server error, User already logged in": OK

6. token is invalid (for instance user sent himself two codes and clicked the older one) =>The endpoint will fail with some error message. I think we shall show that error message to user and have a button to go back to Forgot password page:

• i tried that testcase, with sending two codes and using the older one, but that worked fine; is that OK?

7. language shall use the user's language: had de_DE set for my user, but the language in the resetting PW process was mostly en_US: NOK i think

8. reset PW not matching the usual PW requirements, e.g. too short (tried with only 4 letters): just showed "Verbindungsproblem", but no info about PW being invalid bc of length: NOK i think

@teosarca pls let me know if i forgot to test anything

[metas-dh]

created follow ups for the NOKs (see above):
metasfresh/metasfresh-webui-api-legacy#1038
metasfresh/metasfresh-webui-api-legacy#1039