Forgot Password Functionality about blog HOT 6 CLOSED

I would implement a "password reset" or "forgot my password" function like this.

• Add passwordResetToken (String) and passwordResetTokenValidUntil (Date) to the user entity
• Add a link to the login page 'I forgot my password'.
  This link opens a page where the user can enter his username or email.
• Add a password reset page where the user can enter the new password

The workflow then would go like this:

1. User clicks on 'I forgot my password'
2. The application opens a dialog where he can enter his username or email
3. The server side code searches the user with username or email.
   When found it sets the passwordResetToken field to a random value and the
   field passwordResetTokenValidUntil to a date in the future. For example: current time + 1 hours
   When the application does not find the user it silently ignores the request and does nothing.
   The application should not show any error messages to the user.
4. When the application finds the user in step 3 it sends an email to the user. The email text contains a
   link with the passwordResetToken in the url.
5. The user clicks on the link and the application opens the password reset page where he can enter the password. The request of this page contains the new password and the token.
   The server checks if current time is less than passwordResetTokenValidUntil and if the token is equal to passwordResetToken.
   If both conditions are met it changes the password and sets passwordResetToken and passwordResetTokenValidUntil to null.

In a web application it's easy to implement a link in the email that opens the application and redirects to a specific page. I'm not exactly sure how to do that in a Cordova application. There is a Cordova plugin https://github.com/nordnet/cordova-universal-links-plugin that allows an application to use Universal Links / Deep Linking. If I understand this correctly this is a way to implement links that start a native application and trigger some action in the app. But I don't have any experience with that.

If you are looking for an example, the application https://github.com/ralscha/eds-starter6-mongodb uses this "password reset" workflow.

I always added two password fields to the sign up page of my previous applications.
But when you look at current sign up pages there are some that only have one password field.
https://twitter.com/signup?lang=en
https://www.facebook.com/r.php
https://www.instagram.com/accounts/emailsignup/?hl=en&signupFirst=true

I guess it's okay to only have one password field when the site has a "password reset" function.
When you mistype your password on the sign up page you can reset it.

from blog.

Thanks a lot for the in depth answer. I think the tricky part will the universal linking into the app be. I will look into that when I find some spare time. Thanks again! 👍

from blog.

I just checked the password reset functionality of one of the apps I use a lot and they do it differently.
After you enter the email address they send you an email with the new password.
Then you can login with this password. But one thing I don't like is that they do not force the user to change the password immediately after he logged in. I guess that should be mandatory because the new password was sent over unsecure email.

from blog.

Good point. The user should definitely be forced to change the password after the first successful login. Another idea was to sent a Code which the user has to enter in the app. But that involves Copy and Pasting and is maybe not considered user friendly.

from blog.

I guess that would not be bad when the code is not too complicated. I also had to remember the new password that they sent me.
When the link does not work this would be a good solution.

from blog.

Oh yes right. Or also copy pasting it. Okay, thanks a lot!

from blog.