Skip to content

Implement a reset password flow.#3041

Open
drgrice1 wants to merge 1 commit into
openwebwork:WeBWorK-2.21from
drgrice1:password-reset-flow
Open

Implement a reset password flow.#3041
drgrice1 wants to merge 1 commit into
openwebwork:WeBWorK-2.21from
drgrice1:password-reset-flow

Conversation

@drgrice1

@drgrice1 drgrice1 commented Jul 7, 2026

Copy link
Copy Markdown
Member

In order to enable the reset password flow, the course environment variable $password_reset_sender_email must be set. This can be set per course in the course.conf files.

If that is set, then a "Forgot Password" link will appear on the course login page to the right of the "Continue" button. When that link is used a "Forgot Password" page is shown. The user will then need to enter their username and click "Request Password Reset". Then an email is sent to the user (assuming the user has a valid email address in the database) containing a "Reset Password" link. A single use token is embeded in the link, and that token expires in 15 minutes. When that link is used a "Reset Password" page is shown. On that page the user must enter a new password, and confirm it by entering it again, and then click "Reset Password". If the token in the link is valid, then the user's password is changed.

If two factor authentication is enabled, then when the reset link that is emailed to the user is used, the user must enter a one-time security code as well as a new password in order to reset their password. Also, if the user has not yet set up two factor authentication for their account, then password reset is not allowed for the user.

All requests to reset a user's password and the success or failure when using the reset password link are logged to the login log.

This is to address issue #2976.

@drgrice1 drgrice1 force-pushed the password-reset-flow branch 3 times, most recently from a1633c4 to 1d59448 Compare July 7, 2026 21:47
@taniwallach

Copy link
Copy Markdown
Member

I would recommend that requests to reset the password and successful resets be logged to the login.log file.

Maybe when a user has a MFA secret saved in the course, a password change should depend on providing an valid OTP result. That would make the system more secure against possibly malicious use.

@drgrice1

drgrice1 commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

I would recommend that requests to reset the password and successful resets be logged to the login.log file.

I will add this I suppose.

Maybe when a user has a MFA secret saved in the course, a password change should depend on providing an valid OTP result. That would make the system more secure against possibly malicious use.

This is true, and I will see about implementing this. This may take some effort though, and may need to wait.

@taniwallach

Copy link
Copy Markdown
Member

Don;t hold things back about the OTP side, it would be nice to have, as it protects from an email compromise becoming a compromise of webwork. The logging is in my opinion more important, in case issues come up with claims of account compromise via the password reset system, it provides some data on when it occurred.

In order to enable the reset password flow, the course environment
variable `$password_reset_sender_email` must be set. This can be set per
course in the `course.conf` files.

If that is set, then a "Forgot Password" link will appear on the course
login page to the right of the "Continue" button. When that link is used
a "Forgot Password" page is shown. The user will then need to enter
their username and click "Request Password Reset". Then an email is sent
to the user (assuming the user has a valid email address in the
database) containing a "Reset Password" link. A single use token is
embedded in the link, and that token expires in 15 minutes. When that
link is used a "Reset Password" page is shown. On that page the user
must enter a new password, and confirm it by entering it again, and then
click "Reset Password".  If the token in the link is valid, then the
user's password is changed.

If two factor authentication is enabled, then when the reset link that
is emailed to the user is used, the user must enter a one-time security
code as well as a new password in order to reset their password. Also,
if the user has not yet set up two factor authentication for their
account, then password reset is not allowed for the user.

All requests to reset a user's password and the success or failure when
using the reset password link are logged to the login log.

This is to address issue openwebwork#2976.
@drgrice1 drgrice1 force-pushed the password-reset-flow branch from 1d59448 to ea9ab05 Compare July 8, 2026 17:32
@drgrice1

drgrice1 commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

@taniwallach: I have added the two factor authentication requirement when it is enabled, and the login log logging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants