christian.suessenguth/password-reset-web
1
0
Fork 0
forked from services/password-reset-web
Code Issues Pull Requests Projects Releases Wiki Activity
Files
d838275b2049094e3e445436f7f907ac5e064c34
password-reset-web/README.md
Thomas Dedek d838275b20 extend documentation
2021-04-29 11:18:39 +02:00

1.6 KiB
Raw Blame History

Passwort reset

Web interface for end users to request a password reset. The users private email address is being used as a bilateral secret to send him a private link that allows him to set a new password. The link has a limited lifetime (default is 49 hours). This value can be overridden in the configuration of the Account Service Backend.

Workflow

The process is split into two steps:

  1. Request a password reset

    The user is asked to enter it's ECG account ID. The backend looks for the appropriate user and sends him an email with a private link including a secret token. This link leads the user to the second part. After revisiting the site after the submitting the request a hint is shown including the timestamp of the recent action. The step can be repeated on demand.

  2. Set a new password

    The private link leads the user to a website. After opening that site the secret token is being validated first. Then a form is shown to the user that allows him to provide a new password. This new password is being validated against a password strength estimator using a minimum strength of 4 (out of 0-4 with 4 being the maximum). The password change is applied immediately after submitting the form.

Technology stack

Requirements

Client

  • JavaScript

Server

  • any static web server like nginx or Apache HTTP server

Development

  • NodeJS
  • Yarn