# Passwort reset

Web interface for end users to request a password reset. The users private email address is being used as a bilateral secret to send him a private link that allows him to set a new password. The link has a limited lifetime (default is 49 hours). This value can be overridden in [the configuration of the Account Service Backend](https://git.ecogood.org/services/account-svc-backend#configuration).

## Workflow

The process is split into two steps:

1. **Request a password reset**

    The user is asked to enter it's **ECG account ID**. The backend looks for the appropriate user and sends him an email with a **private link** including a **secret token**. This link leads the user to the second part. After revisiting the site after the submitting the request a hint is shown including the timestamp of the recent action. The step can be repeated on demand.
	
2. **Set a new password**

    The private link leads the user to a website. After opening that site the **secret token** is being validated first. Then a form is shown to the user that allows him to provide a new password. This new password is being validated against a **password strength** estimator using a minimum strength of 4 (out of 0-4 with 4 being the maximum). The password change is **applied immediately** after submitting the form.

## Technology stack

- frontend: Vue.js 2
- module packer: webpack
- password strength validation: <https://github.com/dropbox/zxcvbn>
- CSS framework: Bootstrap

## Requirements

### Client

- JavaScript

### Server

- any static web server like nginx or Apache HTTP server

### Development

- NodeJS
- Yarn