Password reset functionality #67

timwis · 2016-09-05T14:24:57Z

When a user forgets their password, they should be able to reset it via email authentication.

This is a huge pain in the butt. Makes me wish we went with Firebase, which offers it out of the box. Here's what I'm thinking so far:

user hits reset password
client app creates reset-token doc { type: ‘password-reset-token’, created: ‘2016-09-05T01:23:45Z’, user: ‘tester’, token: null }
- but how to give anonymous users write access but not read access?
server listens for new reset-token docs with null tokens
- generate a token and update the doc with it (can it be hashed in case db is compromised?)
- sends an email to the user with a link that includes the token (we’ll need to capture their email on signup)
user receives a reset email with link /reset-password?token=xzcv098welkr
client app generates a form with that token. form posts to server’s /reset-password api endpoint
server, logged in as an admin, changes the user’s password

Other ideas:

What if we just use oauth?
SuperLogin looks like a pretty robust solution, but seems like more than I need.
CouchDB-XO_Auth

timwis · 2016-09-07T10:21:14Z

Reopening as we need a user-driven reset function. The above pull request lets admins reset passwords.

timwis · 2016-09-08T11:48:43Z

timwis modified the milestone: MVP Sep 5, 2016

timwis mentioned this issue Sep 5, 2016

User cli #69

Merged

timwis closed this as completed in #69 Sep 5, 2016

timwis removed this from the MVP milestone Sep 7, 2016

timwis reopened this Sep 7, 2016

timwis mentioned this issue Sep 8, 2016

Password reset #75

Merged

timwis closed this as completed Sep 8, 2016

Provide feedback