[Yanel-dev] [Bug 7164] handle forgotten passwords

Guillaume Déflache guillaume.deflache at wyona.com
Fri Jun 26 09:52:29 CEST 2009 

bugzilla at wyona.com schrieb:
> http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=7164
> 
> 
> 
> 
> 
> ------- Comment #1 from pupreti at yahoo.com  2009-06-26 05:49 -------
> I am adding this text after going through Guillaume's email(thoughts on
> forgotten password handling ) dated June 16th.  
> 
> Listed below are summary of tasks I think are necessary to achieve this and
> also open questions:
> 
> 1.  User clicks on link that says "forgot password".  User gets a screen where
> he/she can enter the email.  They enter the email. System verifies email
> address exists and creates a URL to be sent via email.  The URL will have a
> random generated id.  
> 
> question:  My understanding is yanel does not have a central config
> database(could me wrong here). How can I access a single repository so that
> multiple boxes can access the same data? I would like to have a central
> repository where I can store random generated id, email, expiration date/time
> to manage the forgot pw.

You could use the data repository of the realm your resource-type is 
running in, see org.wyona.yanel.core.Resource.getRealm().getRepository().
Or maybe as was said as the info really does not need to be persisted 
long-term we could use the HTTP session if we can bear that 
session-replication would have to be activated in a clustered setup just 
for that.

WDYOT?


> 2.  User gets the link via email which is then clicked to get to the change pw
> screen. There user enters the new pw 2 times.  When this is submitted, the
> backend system will match the radom id with what is in the central repository
> and implement the appropriate rule(encrpty and update pw).  

Correct, whereas as said we should be able to reuse/refactor the 
existing backend code for the change password feature, so you should not 
have to care about the details.


> question:  Michael mentioned that the radomid link validation needs to be
> configurable(12 hrs, 1 hr) etc.  Where is the best place to put that value? 

It should probably be a resource-type property, as e.g. 
"show-collections-only" in 
http://yanel.org/yanel/resource-types/^http^3a^2f^2fwww.wyona.org^2fyanel^2fresource^2f1.0::lookup/yanel/doc/index.html 
is.

> Also do we need admin UI to manage that data?

I'd say we don't as it's not going to change often once projects are 
humming happily.


> I would like to keep this simple straight forward for this phase. Once this is
> stable then additional stuff.  

Sure, let's try to keep things simple.


Cheers,
    Guillaume

More information about the Yanel-development mailing list