User Reset Password Link

Rationale

It is common for login forms to have a reset password link for users that have forgotten their password. This enables users to reset their password themselves without needing to contact the system administrator or support.

There have been several topics about this feature:

Proposal

The design should be similar to that implemented in the web_user module and follow these guidelines: Forgot Password - OWASP Cheat Sheet Series

A new anonymous RPC method common.db.reset_password will allow a user who is not logged in to request a password reset. A configuration setting will allow this to be deactivated if required.

When a password reset is started, the User.password_reset method will generate a temporary password and send it to the user via email. This password will expire after a set (configurable) amount of time. Any attempt to reset the password again before the temporary password expires is ignored.

Until a new password is set the user’s existing password continues to work. As soon as a new password is set any temporary passwords are cleared and will no longer work.

It seems like it only makes sense to allow “password” resets for the password session.authentications method. If other/additional authentication methods are in use then resetting the user’s “password” (or other login details) should probably be left to the administrator to do manually once they have verified the user’s identity.

Implementation

TBC

For me it should just permit to login like the existing current feature.
The improvement should only be about requesting the reset in a safe way.

Do you think the best way is to create a new anonymous RPC common.db.reset_password that will call the User.reset_password method? Then include the protection against abuse / denial of service in the reset_password method.

That’s seem right.
Also I think it should be possible to deactivate it by configuration if some administrator found it dangerous.

1 Like