Skip to content

Add password reset via email #14232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
stirby opened this issue Aug 9, 2024 · 9 comments
Closed

Add password reset via email #14232

stirby opened this issue Aug 9, 2024 · 9 comments
Assignees
@BrunoQuaresma @DanielleMaywood
Labels
enterprise Enterprise-license / premium functionality
Milestone
Notifications: GA...

Comments

@stirby
Copy link
Collaborator

stirby commented Aug 9, 2024
edited
Loading

We allow administrators to reset a user's password via the CLI by connecting directly to the database (#1380). Otherwise, users may change their password in their account settings.

As a user, when I forget my password, I would like to reset it autonomously. This flow is facilitated in most products through a reset password link delivered to the user's email. We can implement the same flow using the new system-generated notifications.

When SMTP notifications are configured for a deployment, a new option would appear on the login page:

Screenshot 2024-08-13 at 4 29 15 PM

They'd then receive an email containing a link to create a new password.

Note

This would introduce a security vulnerability for teams, so admins should be able to disable the feature for their deployment or organization (once merged).
@coder-labeler coder-labeler bot added enterprise Enterprise-license / premium functionality feature labels Aug 9, 2024
This was referenced Aug 13, 2024
Closed
Closed
@DanielleMaywood
Copy link
Contributor

Proposal for how this would look:

  • User clicks "Forgot password?"
  • User is presented with a screen that asks for their email
  • User enters the email of their account
    • A one-time-passcode is sent to their email (with a short expiry)
    • User is presented with a field for the one-time-passcode
    • Show message in the UI such as "A one-time-passcode has been sent to your email if the provided email is valid"
      • We shouldn't have a different message if the email is valid or not to prevent enumeration attacks
  • User enters one-time-passcode
    • All existing sessions are logged out
  • User is logged into account
  • User is presented with a mandatory reset password screen

The decision to send a one-time-passcode to the users email over sending a password reset link is that many places advise against clicking links in emails as it makes people more susceptible to phishing attacks. This flow doesn't pose the same risk as the user never has to click a link from their email.

@stirby thoughts on this approach?

@stirby
Copy link
Collaborator Author

stirby commented Sep 24, 2024

This is exactly as I imagined, except:

The decision to send a one-time-passcode to the users email over sending a password reset link is that many places advise against clicking links in emails as it makes people more susceptible to phishing attacks.

But your rationale is very thoughtful. Let's do it.

This was referenced Sep 25, 2024
Merged
Closed
@DanielleMaywood
Copy link
Contributor

After a discussion with @johnstcn and @mafredri we have come up with a slightly simplified flow.

Rather than these final 3 steps as originally presented:

  • User enters one-time-passcode
    • All existing sessions are logged out
  • User is logged into account
  • User is presented with a mandatory reset password screen

We'd instead do this:

  • User enters one-time-passcode and new password (with a confirmation field).
    • All existing sessions are logged out.
    • User is logged in.

This removes an extra step from the flow.

How does this sound to you @stirby?

@stirby
Copy link
Collaborator Author

stirby commented Sep 27, 2024

Yes, all for simplification @DanielleMaywood.

One more question: do we hide the button when

  • User sign-in is not simple (password)
  • SMTP is not configured

@DanielleMaywood
Copy link
Contributor

For both it will be hidden.

  • If password sign-in isn't enabled, then the button would be misleading.
  • If SMTP is not configured, then we cannot send the email with the code, making the feature useless.

@DanielleMaywood DanielleMaywood mentioned this issue Oct 1, 2024
Merged
DanielleMaywood added a commit that referenced this issue Oct 4, 2024
@DanielleMaywood
feat: implement api for "forgot password?" flow (#14915)
4369f2b 
Relates to #14232

This implements two endpoints (names subject to change):
- `/api/v2/users/otp/request`
- `/api/v2/users/otp/change-password`
@mtojek
Copy link
Member

mtojek commented Oct 4, 2024

@BrunoQuaresma Heads-up, this issue will require frontend work 👍 @DanielleMaywood will share details.

@matifali matifali removed the feature label Oct 14, 2024
@chrifro
Copy link

chrifro commented Oct 15, 2024

To help with the UI, I created mockups based on the existing design and the described user flow. Note: the mockups are not pixel-perfect as they are partially based on screenshots
See Figma

Image
Image
Image
Image

Over to you @BrunoQuaresma 🏀

@johnstcn johnstcn mentioned this issue Oct 17, 2024
Merged
@johnstcn
Copy link
Member

johnstcn commented Oct 17, 2024
edited
Loading

Thought: we should probably add a more aggressive rate-limit to the "request password reset" endpoint. I think once per minute should be more than sufficient.
Example: https://github.com/coder/coder/blob/main/coderd/coderd.go#L986-L991

@BrunoQuaresma
Copy link
Collaborator

Closed by #15108

This was referenced Oct 21, 2024
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@BrunoQuaresma BrunoQuaresma

@DanielleMaywood DanielleMaywood

Labels
enterprise Enterprise-license / premium functionality
Projects
None yet
Milestone
Notifications: GA Release
Development

No branches or pull requests
7 participants
@BrunoQuaresma @johnstcn @matifali @mtojek @DanielleMaywood @chrifro @stirby