[Yanel-dev] thoughts on forgotten password handling (thru E-mail)

Guillaume Déflache guillaume.deflache at wyona.com
Tue Jun 16 19:28:38 CEST 2009 

Hi!

I prefer writing them here instead of in the bug to ease preliminary 
discussions, but please also cf. 
http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=7164

Synopsis:
- provide a page where the unfortunate user can enter its E-mail address 
and login (in the general case that is, for some projects login may be 
guessable by searching among users for the given E-mail address, but I 
am not sure there are always relateable)
- confirming the form should send a (plain text) E-mail containing a 
confirmation URL with a secret token (e.g. MD5 hash) and a 
human-readable deadline date for visiting the URL
- going to that URL within a (configurable) amount of time 
(corresponding to the above deadline) should allow the user to enter a 
new password as usual (we'd better not set the password automatically 
for him since this involves showing it on the screen in some way, and he 
may as well forget this new, foreign one anyway)
- confirming that form would then change the password

Implementation thoughts:
- the whole implementation should be contained in a single RT directory 
  (e.g. "password-reset-thru-Email") for easy integration
- we may not need 2 resource-types there: "reset-password" for the 
initial page, 
"reset-password?token=0b8d407b-cfb3-45c0-b37a-5d7c3a6c8f70" for the 
linked page
- secret-token/login/E-mail-address/deadline-date tuples needs to be 
stored somewhere
   - we could do that in memory as losing them is not a big deal: users 
can request a password reset anew in case of server restarts
   - but then isn't that an issue for clustering? we would have to 
direct the user to the same cluster node where he issued the original 
request
- we might be able to reuse the original code and UI for the second form 
and following action as it should be similar to the change-password use-case

- TODO: see if we could/already share the SMTP config globally in Yanel 
with other RTs ("contact" comes to mind)
- TODO: see how to segregate that work cleanly from other (non-password 
based) authentication schemes, e.g. OpenID which is already (almost) 
supported
- TODO: there may be other ways than E-mail to check the user's identity 
(sending an SMS), so better take that into account when naming and in 
general designing stuff!

WDYT?

Cheers,
    Guillaume

More information about the Yanel-development mailing list