Web interface for end users to request a password reset. The users private email address is being used as a bilateral secret to send him a private link that allows him to set a new password. The link has a limited lifetime (default is 49 hours). This value can be overridden in the configuration of the Account Service Backend.

Workflow

The process is split into two steps:

Request a password reset

The user is asked to enter it's ECG account ID. The backend looks for the appropriate user and sends him an email with a private link including a secret token. This link leads the user to the second part. After revisiting the site after the submitting the request a hint is shown including the timestamp of the recent action. The step can be repeated on demand.
Set a new password

The private link leads the user to a website. After opening that site the secret token is being validated first. Then a form is shown to the user that allows him to provide a new password. This new password is being validated against a password strength estimator using a minimum strength of 4 (out of 0-4 with 4 being the maximum). The password change is applied immediately after submitting the form.

Technology stack

frontend: Vue.js 2
module packer: webpack
password strength validation: https://github.com/dropbox/zxcvbn
CSS framework: Bootstrap

Requirements

Client

JavaScript

Server

any static web server like nginx or Apache HTTP server

Development

NodeJS
Yarn