[SOLVED] Best practice for resetting your password

[pixobit]

CI4 Shield has magic link for forgotten password, but this logs you in, instead of prompting for a password reset.
This is all good, and I guess it's intended to redirect users to your password change page after logging in with the magic link, but I didn't find much information about that part.

[datamweb]

Hi, Please see #359.

[pixobit]

In short the flow should be

1. Input your email address
2. Get a magic link sent out
3. Opening the magic link logs you in, and shows a reset password form (password, confirm_password)
4. Submitting form resets the password
5. Reset password page should only be accessible right after the magic link, since otherwise it could easily be hijacked

[datamweb]

Currently, magic-link is only used for emergency login.
Also, it is not possible to set the action or event:

• magic-link login
  1. Post email
     • OK → no event
     • NG → no event
  2. Send request with token
     • OK → event login / table auth_logins
     • NG → event failedLogin / table auth_logins

Whether we should allow the creation of actions or events, I alone cannot decide, however, I agree to create actions for magic-link.

[pixobit]

Exactly, it's for emergency login. But if I can't change my password, I would have to stick with emergency login, since I wouldn't remember my password anymore...

[datamweb]

That you want to create a reset password feature is possible with custom coding.
So you can create your custom Route and custom controller.
But whether you request to create this feature to be added to the shield is another matter, in which case it depends on the opinion of the members and also the request of the users.

[pixobit]

Yes, I can probably get around it by some custom coding, but it's not the best option, since this can create security holes that I might not be taking into consideration, which defeats the whole purpose of shield, and it's a bit also hard to build on top of it, since magic link already is in place, and works great, but can make it a bit trickier to wire this part in, and I don't want to avoid using it, since I would just reinvent the wheel at that part. I'm also pretty sure this can easily be considered a core feature of any login systems.

[lonnieezell]

The original thought was that they could then use whatever account management features your app has to update their password. To be fair, it sounds like that flow was not thought out as fully as it could have been. Sorry about that.

I don't think we need to go so far as allowing actions specific to Magic Link. I think that will just get too complex. Instead, setting a session temp variable stating that we just logged in with a Magic Link would be enough. That would provide developers a way of checking for that situation and responding however they'd like, whether that's to redirect to a change password form, or just display a note suggesting they change their password.

[pixobit]

The main reason you can't just use any password change mechanism after being logged in, is because change password, and reset password aren't the same. For changing the password, you need to provide the old password for safety reasons, which in this case is unknown.
Looking at the session is already much better, but I'd still prefer it to be short lived.

As for actions in the magic link, I can't tell is this makes the code more complex, since I didn't dig that deep, but for the developer who is using this library, I believe would only make it more consistent, and consistent solutions are easier to wrap your head around. At least this is my own experience.

[datamweb]

lonnieezell Thank you for your attention to this matter.
lonnieezell in #413 has tried to provide a very simple and effective solution.
I think an important part of the concerns will be solved in this case.
I still have some criticisms of Process magic-link, but that's off topic.

[pixobit]

Solved it the following way:
Implemented forgot password to send out a magic link email
When using the link to log in (the verify method), I redirect the user to the reset-password page
The reset-password page only works if session('magicLogin') is set, and this page allows to change the password without specifying the old password

[pixobit]

Thanks for all the effort that was put into making this possible!