Password change without the password reset email

[lemieux]

Would it be possible to show the password change view directly without having to issue a password reset email. We would want the user to be able to change it directly in our app if he's logged in. I tried to access /forgot/change directly and I got :

Error: Can't set headers after they are sent.
    at ServerResponse.OutgoingMessage.setHeader (http.js:689:11)
    at ServerResponse.header (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:662:10)
    at ServerResponse.send (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:146:12)
    at fn (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:896:10)
    at /home/marcolem/Development/radialpoint/reveal-site/node_modules/hogan-express/hogan-express.js:169:20
    at /home/marcolem/Development/radialpoint/reveal-site/node_modules/hogan-express/hogan-express.js:40:14
    at fs.js:271:14
    at Object.oncomplete (fs.js:107:15)
express deprecated res.send(status): Use res.status(status).end() instead node_modules/express-stormpath/lib/controllers.js:326:11

Error: Can't set headers after they are sent.
    at ServerResponse.OutgoingMessage.setHeader (http.js:689:11)
    at ServerResponse.header (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:662:10)
    at ServerResponse.send (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express/lib/response.js:146:12)
    at /home/marcolem/Development/radialpoint/reveal-site/node_modules/express-stormpath/lib/controllers.js:326:11
    at Object.wrapGetResourceResponse [as _wrapGetResourceResponse] (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express-stormpath/node_modules/stormpath/lib/ds/DataStore.js:66:12)
    at onGetResourceRequestResult (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express-stormpath/node_modules/stormpath/lib/ds/DataStore.js:277:13)
    at Request.onRequestResult [as _callback] (/home/marcolem/Development/radialpoint/reveal-site/node_modules/express-stormpath/node_modules/stormpath/lib/ds/RequestExecutor.js:96:14)
    at Request.self.callback (/home/marcolem/Development/radialpoint/reveal-site/node_modules/request/request.js:123:22)
    at Request.emit (events.js:98:17)
    at Request.<anonymous> (/home/marcolem/Development/radialpoint/reveal-site/node_modules/request/request.js:1047:14)

I am using 0.4.5 from npm

[robertjd]

This is a great request. I've tried to support it but I ran into some problems, I have to pause for now but look at commit be3efae on the gh-20 branch. See comments in the commit. Basically I tried to render the form w/o reading the spreset token (which won't exist in this use case) but when I post that form I'm getting a a 404 not found.

[lemieux]

I'm not working on this feature right now on my side, but if I'm getting there before you I'll pick up your branch to see what I can do.

[robertjd]

Thanks @lemieux ! I'll post back too when I pick this up

[lemieux]

I just thought of something about this... this is not a good idea.

If this was implemented, a user could have his password changed by anyone who has access to his computer while logged in... the form doesn't ask for the previous password.

This should be closed. The proper way to do this would be to have a real password change view I guess.

[rdegges]

Agreed -- going to close this.

[bartzilla]

What about forcing the user to type in his old password and then ask for the new password & confirm new password? is this supported by stormpath?

[rdegges]

Hey @bartzilla, you can indeed do this, but that functionality isn't pre-built into express-stormapth (a page, for instance). What you'd need to do is:

• Create a route / view that force a user to change their password.
• In your code, just update the user's password and save their account, for instance:

req.user.password = 'newpassword';
req.user.save();

[robertjd]

Hey @bartzilla , thanks for the question! As @rdegges mentioned we don't have an out-of-the-box form for a logged-in password change form, but it's really easy to roll this into your profile page. We have an example profile page here, you'd just need to modify it a bit to add the change password fields:

https://github.com/stormpath/express-stormpath-sample-project/

Hope this helps!

[bartzilla]

Hey @robertjd and @rdegges very useful information indeed. I managed to implement the use case. Thank you very much your direction and quick response.
Best!

[robertjd]

Awesome @bartzilla , glad you've got it working now! Always happy to help :)

[EricMentele]

@rdegges Can you do this with just plain node?

"Hey @bartzilla, you can indeed do this, but that functionality isn't pre-built into express-stormapth (a page, for instance). What you'd need to do is:

Create a route / view that force a user to change their password.
In your code, just update the user's password and save their account, for instance:
req.user.password = 'newpassword';
req.user.save();
@robertjd"

[rdegges]

@EricMentele yep! Same exact thing, you can do it with an account, eg:

account.password = 'blah';
account.save();

[EricMentele]

@rdegges thanks! Got it working.