Implement a reset password flow.#3041
Conversation
a1633c4 to
1d59448
Compare
|
I would recommend that requests to reset the password and successful resets be logged to the Maybe when a user has a MFA secret saved in the course, a password change should depend on providing an valid OTP result. That would make the system more secure against possibly malicious use. |
I will add this I suppose.
This is true, and I will see about implementing this. This may take some effort though, and may need to wait. |
|
Don;t hold things back about the OTP side, it would be nice to have, as it protects from an email compromise becoming a compromise of webwork. The logging is in my opinion more important, in case issues come up with claims of account compromise via the password reset system, it provides some data on when it occurred. |
In order to enable the reset password flow, the course environment variable `$password_reset_sender_email` must be set. This can be set per course in the `course.conf` files. If that is set, then a "Forgot Password" link will appear on the course login page to the right of the "Continue" button. When that link is used a "Forgot Password" page is shown. The user will then need to enter their username and click "Request Password Reset". Then an email is sent to the user (assuming the user has a valid email address in the database) containing a "Reset Password" link. A single use token is embedded in the link, and that token expires in 15 minutes. When that link is used a "Reset Password" page is shown. On that page the user must enter a new password, and confirm it by entering it again, and then click "Reset Password". If the token in the link is valid, then the user's password is changed. If two factor authentication is enabled, then when the reset link that is emailed to the user is used, the user must enter a one-time security code as well as a new password in order to reset their password. Also, if the user has not yet set up two factor authentication for their account, then password reset is not allowed for the user. All requests to reset a user's password and the success or failure when using the reset password link are logged to the login log. This is to address issue openwebwork#2976.
1d59448 to
ea9ab05
Compare
|
@taniwallach: I have added the two factor authentication requirement when it is enabled, and the login log logging. |
In order to enable the reset password flow, the course environment variable
$password_reset_sender_emailmust be set. This can be set per course in thecourse.conffiles.If that is set, then a "Forgot Password" link will appear on the course login page to the right of the "Continue" button. When that link is used a "Forgot Password" page is shown. The user will then need to enter their username and click "Request Password Reset". Then an email is sent to the user (assuming the user has a valid email address in the database) containing a "Reset Password" link. A single use token is embeded in the link, and that token expires in 15 minutes. When that link is used a "Reset Password" page is shown. On that page the user must enter a new password, and confirm it by entering it again, and then click "Reset Password". If the token in the link is valid, then the user's password is changed.
If two factor authentication is enabled, then when the reset link that is emailed to the user is used, the user must enter a one-time security code as well as a new password in order to reset their password. Also, if the user has not yet set up two factor authentication for their account, then password reset is not allowed for the user.
All requests to reset a user's password and the success or failure when using the reset password link are logged to the login log.
This is to address issue #2976.