Page MenuHomeWrite.as
Create Task
Maniphest T508

Password resetting
Closed, ResolvedPublic
Actions

Description

Overview

Allow user to reset their password with an emailed link.

Background

This is happening more frequently.

Implementation

Add "forgot password?" link to login page and Pad dialog. Ask for email address (?).

Heavily rate-limit submitted requests.

Handle different cases:

  • User has an email and password set: mention that they can log in via email (and link to guide), and that an email with a reset link has been sent to them.
  • User only has an email set: mention that they don't have a password set, and can log in via email (link to guide)
  • User only has a password set or email doesn't exist: mention that an email with a reset link has been sent to them.
  • User has no email or password set: mention this and tell them to message us (perhaps pop up chat window)

Email should contain a link with a sudo=1 one-time auth-token that redirects them to /me/settings?pass and only prompts them to pick a new password. Also include the username field so browsers update their saved passwords.

Revisions and Commits

Restricted Diffusion Commit
Restricted Diffusion Commit
Restricted Diffusion Commit
rWF WriteFreely
rWFe3323d11c8b7 Merge pull request #777 from writefreely/reset-password
rWFf404f7b92881 Support resetting password via email

Related Objects
Search...

StatusAssignedTask
Restricted Maniphest Task
 ResolvedmattT508 Password resetting
 ResolvedrobjlorangerT695 Support manual admin password reset
 OpenmattT731 WriteFreely email layer
 OpenmattT905 Support SMTP email config

Event Timeline

matt triaged this task as High priority.Jan 22 2018, 5:53 AM
matt created this task.
matt added a parent task: Restricted Maniphest Task.
matt added a project: Restricted Project.Jan 29 2018, 2:28 AM
matt moved this task from Backlog to Apr - Jun 2018 on the Write.as Web board.Feb 14 2018, 3:57 PM
matt edited projects, added Write.as Web (Apr - Jun 2018); removed Write.as Web.
matt moved this task from Apr - Jun 2018 to Jan - Mar 2018 on the Write.as Web board.Feb 15 2018, 12:21 AM
matt edited projects, added Write.as Web (Jan - Mar 2018); removed Write.as Web (Apr - Jun 2018).
matt changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Nov 18 2018, 8:21 PM
matt edited projects, added WriteFreely, Write.as Web; removed Write.as Web (Jan - Mar 2018).
matt moved this task from Backlog to v1.0 on the WriteFreely board.Jan 4 2019, 11:24 PM
matt edited projects, added WriteFreely (v1.0); removed WriteFreely.
joyeusenoelle added a subscriber: joyeusenoelle.May 7 2019, 5:32 PM

I may be betraying my inexperience with the project, but a question about this case:

  • User only has a password set or email doesn't exist: mention that an email with a reset link has been sent to them.

How do we send email with a reset link if they haven't set an email or if the email they provided doesn't exist in the system?

If someone can establish an account without an email address, it might be worthwhile to set up a "paper key" in the event that they lose their password. The idea is that it would be a separate string, generated by the server, that the user should store separately from their password (on a separate device, perhaps on a slip of paper with other important documents, hence the name). If they lose access to their password, the user can then use the paper key to prove their identity and generate a new one.

matt moved this task from v1.0 to Soon / v1.0 on the WriteFreely board.Jul 21 2019, 3:00 PM
matt edited projects, added WriteFreely; removed WriteFreely (v1.0).
robjloranger added a subscriber: robjloranger.Aug 16 2019, 11:38 PM

I like the paper key idea, or even a set of recovery keys. Usually 8-12 random keys that the user prints or writes down. Then when needed they use one in place of a password, and are directed to set a new password. These are single use.

GitHub <noreply@github.com> closed subtask T695: Support manual admin password reset as Resolved.Nov 11 2019, 4:39 PM
matt added a commit: Restricted Diffusion Commit.Jan 3 2020, 5:26 PM
matt moved this task from Soon / v1.0 to Next Release on the WriteFreely board.Apr 23 2020, 12:39 PM
matt added commits: Restricted Diffusion Commit, Restricted Diffusion Commit.May 30 2020, 2:52 PM
matt added a subtask: T731: WriteFreely email layer.May 30 2020, 3:28 PM
matt added a project: Roadmap.Jul 29 2020, 6:14 PM
matt added a project: Restricted Project.Aug 4 2020, 2:08 PM
matt lowered the priority of this task from High to Medium-High.Sep 11 2020, 10:38 AM
matt moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Mar 3 2021, 7:20 PM
matt moved this task from Future to Q4 2021 - Oct-Dec on the Roadmap board.Jul 7 2021, 5:18 PM
matt removed a project: Roadmap.Jun 3 2022, 6:17 PM
matt closed this task as Resolved by committing rWFf404f7b92881: Support resetting password via email.Sep 25 2023, 10:48 PM
matt added a commit: rWFf404f7b92881: Support resetting password via email.
GitHub <noreply@github.com> added a commit: rWFe3323d11c8b7: Merge pull request #777 from writefreely/reset-password.Oct 3 2023, 4:03 PM
write.as · guide · api