Generated link to reset password uses insecure protocol

[jvendetti]

Reported by an end user:

FYI, the link below is HTTP and not HTTPS...

admin@bioontology.org wrote on 12/4/19 6:34 PM:
Someone has requested a password reset for user xxx. If this was you, please click on the link below to reset your password. Otherwise, please ignore this email.

http://bioportal.bioontology.org/reset_password

We're hard-coding the HTTP protocol in the reset_password method.

[andrew-nguyen]

It would also be helpful if http://bioportal.bioontology.org redirected automatically to https. Thanks!

[andrew-nguyen]

Another related issue is the token never seems to expire (either after a certain amount of time or after being used once). I just clicked on the link that was generated over a week ago and was able to arbitrarily reset my password again.

[jvendetti]

Another related issue is the token never seems to expire (either after a certain amount of time or after being used once).

I entered a separate issue for this, as the code that generates the tokens lives in a different repository. See ncbo/ontologies_api#60.

[jvendetti]

It would also be helpful if http://bioportal.bioontology.org redirected automatically to https

Yes, we agree. See relevant issues:

ncbo/bioportal-project#83
ncbo/biomixer#2

[jvendetti]

Fixed with this commit: 78fa10a