[Yanel-dev] [Bug 7164] handle forgotten passwords
Michael Wechner
michael.wechner at wyona.com
Fri Jun 26 11:01:06 CEST 2009
Guillaume Déflache schrieb:
> bugzilla at wyona.com schrieb:
>> http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=7164
>>
>>
>>
>>
>>
>> ------- Comment #1 from pupreti at yahoo.com 2009-06-26 05:49 -------
>> I am adding this text after going through Guillaume's email(thoughts on
>> forgotten password handling ) dated June 16th.
>> Listed below are summary of tasks I think are necessary to achieve
>> this and
>> also open questions:
>>
>> 1. User clicks on link that says "forgot password". User gets a
>> screen where
>> he/she can enter the email. They enter the email. System verifies email
>> address exists and creates a URL to be sent via email. The URL will
>> have a
>> random generated id.
>> question: My understanding is yanel does not have a central config
>> database(could me wrong here). How can I access a single repository
>> so that
>> multiple boxes can access the same data? I would like to have a central
>> repository where I can store random generated id, email, expiration
>> date/time
>> to manage the forgot pw.
>
> You could use the data repository of the realm your resource-type is
> running in, see org.wyona.yanel.core.Resource.getRealm().getRepository().
> Or maybe as was said as the info really does not need to be persisted
> long-term we could use the HTTP session if we can bear that
> session-replication would have to be activated in a clustered setup
> just for that.
>
> WDYOT?
I think it should be persistent (even if we have session replication),
whereas I would not use the default data repository, but rather the
access control identities repository:
Resource.getRealm().getIdentityManager().getRepository()
but for a good reason the method getIdentityManager().getRepository()
does not exist ;-)
because the IdentityManager API should not depend on Yarep.
Any suggestions ;-)
(I will also think some more about it)
>
>
>> 2. User gets the link via email which is then clicked to get to the
>> change pw
>> screen. There user enters the new pw 2 times. When this is
>> submitted, the
>> backend system will match the radom id with what is in the central
>> repository
>> and implement the appropriate rule(encrpty and update pw).
>
> Correct, whereas as said we should be able to reuse/refactor the
> existing backend code for the change password feature, so you should
> not have to care about the details.
>
>
>> question: Michael mentioned that the radomid link validation needs
>> to be
>> configurable(12 hrs, 1 hr) etc. Where is the best place to put that
>> value?
>
> It should probably be a resource-type property, as e.g.
> "show-collections-only" in
> http://yanel.org/yanel/resource-types/^http^3a^2f^2fwww.wyona.org^2fyanel^2fresource^2f1.0::lookup/yanel/doc/index.html
> is.
@Guillaume: I think Prabodh is refering to the default expire period of
a generated change-password link, or what do you mean with
"show-collections-only"?
>
>> Also do we need admin UI to manage that data?
>
> I'd say we don't as it's not going to change often once projects are
> humming happily.
the question might be what happens with change-password links which
haven't been used or rather have been expired, because
I am afraid these will keep hanging within the repository
>
>
>> I would like to keep this simple straight forward for this phase.
>> Once this is
>> stable then additional stuff.
>
> Sure, let's try to keep things simple.
agreed :-)
Cheers
Michael
>
>
> Cheers,
> Guillaume
More information about the Yanel-development
mailing list