Separate reset password and account activation #1879
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
When creating an account for someone else, we send an activation email which is basically just a password reset with different words.
The reset link in there expires after an hour (by default) which is fine, but when creating a new user, it might be too short of a time before they even see the email sitting in their inbox.
Solution
This PR separates regular password resets from account activations.
Previously when you try to reset a password, it would change the notification based on whether you had a password. Now, we'll send an activation notification when you create a user, and a regular password reset everywhere else.
Password Brokers
Laravel uses a password broker to manage password reset tokens. The broker can have an expiration length set.
This PR introduces a config that lets you define which broker to use when it's doing an account activation vs. a regular password reset.
By default it'll be configured to use the same for both, just by looking at the defaults. This should prevent any issues when people install Statamic into an existing Laravel app.
But in our
statamic/statamic
repo, we'll tweak the defaults:Password Reset YAML Files
When Statamic notices that it's configured to store users in files, it overrides how password reset tokens are stored. It puts them into a YAML file instead of a database.
This PR will store them in separate files for each broker, named after the
table
in the config.