Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Separate reset password and account activation #1879

Merged
merged 2 commits into from Jun 1, 2020
Merged

Separate reset password and account activation #1879

merged 2 commits into from Jun 1, 2020

Conversation

jasonvarga
Copy link
Member

@jasonvarga jasonvarga commented May 29, 2020
edited

Problem

When creating an account for someone else, we send an activation email which is basically just a password reset with different words.

The reset link in there expires after an hour (by default) which is fine, but when creating a new user, it might be too short of a time before they even see the email sitting in their inbox.

Solution

This PR separates regular password resets from account activations.

Previously when you try to reset a password, it would change the notification based on whether you had a password. Now, we'll send an activation notification when you create a user, and a regular password reset everywhere else.

Password Brokers

Laravel uses a password broker to manage password reset tokens. The broker can have an expiration length set.

This PR introduces a config that lets you define which broker to use when it's doing an account activation vs. a regular password reset.

By default it'll be configured to use the same for both, just by looking at the defaults. This should prevent any issues when people install Statamic into an existing Laravel app.

// config/statamic/users.php

'passwords' => [
    'resets' => config('auth.defaults.passwords'),
    'activations' => config('auth.defaults.passwords'),
],

But in our statamic/statamic repo, we'll tweak the defaults:

// config/statamic/users.php

'passwords' => [
    'resets' => 'resets',
    'activations' => 'activations',
],
// config/auth.php

'defaults' => [
    'guard' => 'web',
    'passwords' => 'resets',
],

'passwords' => [
    'resets' => [
        'provider' => 'users',
        'table' => 'password_resets',
        'expire' => 60, // 1 hour
    ],
    'activations' => [
        'provider' => 'users',
        'table' => 'password_activations',
        'expire' => 4320, // 3 days
    ],
],

Password Reset YAML Files

When Statamic notices that it's configured to store users in files, it overrides how password reset tokens are stored. It puts them into a YAML file instead of a database.

This PR will store them in separate files for each broker, named after the table in the config.

@jasonvarga jasonvarga force-pushed the feature/longer-activation-token-expiry branch from 0d3bd8f to 2b3bd27 Compare May 29, 2020 18:55
@jasonvarga jasonvarga mentioned this pull request May 29, 2020
Merged
@jasonvarga jasonvarga requested review from jackmcdade and jesseleite and removed request for jackmcdade May 29, 2020 19:18
jesseleite
jesseleite reviewed May 29, 2020
View reviewed changes
Copy link
Member

@jesseleite jesseleite left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slick work as always 🔥

// config/statamic/auth.php

I assume you mean config/statamic/users.php.

Also, I guess we should probably copy the statamic/statamic defaults over to the starter kits as well eh?

config/users.php Show resolved Hide resolved
@jasonvarga
Copy link
Member Author

I assume you mean config/statamic/users.php

Yup, oops, updated.

I guess we should probably copy the statamic/statamic defaults over

Yeah, but it even if we don't they should continue to work fine. The activation tokens will just continue to last for an hour instead of 3 days.

@jesseleite
Copy link
Member

Yeah, but it even if we don't they should continue to work fine. The activation tokens will just continue to last for an hour instead of 3 days.

Totally yeah. But if the purpose of starter kits are setting up sane defaults, I'd say go for it!

jackmcdade
jackmcdade approved these changes Jun 1, 2020
View reviewed changes
Copy link
Member

@jackmcdade jackmcdade left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love the solution.

@jesseleite jesseleite self-requested a review June 1, 2020 14:29
@jasonvarga jasonvarga merged commit 059e958 into master Jun 1, 2020
@jasonvarga jasonvarga deleted the feature/longer-activation-token-expiry branch June 1, 2020 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackmcdade jackmcdade jackmcdade approved these changes

@jesseleite jesseleite jesseleite approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jasonvarga @jesseleite @jackmcdade