[Yanel-dev] [Bug 7164] handle forgotten passwords

[Michael Wechner]

Guillaume Déflache schrieb:
> bugzilla at wyona.com schrieb:
>> http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=7164
>>
>>
>>
>>
>>
>> ------- Comment #1 from pupreti at yahoo.com  2009-06-26 05:49 -------
>> I am adding this text after going through Guillaume's email(thoughts on
>> forgotten password handling ) dated June 16th. 
>> Listed below are summary of tasks I think are necessary to achieve 
>> this and
>> also open questions:
>>
>> 1.  User clicks on link that says "forgot password".  User gets a 
>> screen where
>> he/she can enter the email.  They enter the email. System verifies email
>> address exists and creates a URL to be sent via email.  The URL will 
>> have a
>> random generated id. 
>> question:  My understanding is yanel does not have a central config
>> database(could me wrong here). How can I access a single repository 
>> so that
>> multiple boxes can access the same data? I would like to have a central
>> repository where I can store random generated id, email, expiration 
>> date/time
>> to manage the forgot pw.
>
> You could use the data repository of the realm your resource-type is 
> running in, see org.wyona.yanel.core.Resource.getRealm().getRepository().
> Or maybe as was said as the info really does not need to be persisted 
> long-term we could use the HTTP session if we can bear that 
> session-replication would have to be activated in a clustered setup 
> just for that.
>
> WDYOT?

I think it should be persistent (even if we have session replication), 
whereas I would not use the default data repository, but rather the 
access control identities repository:

Resource.getRealm().getIdentityManager().getRepository()

but for a good reason the method getIdentityManager().getRepository() 
does not exist ;-)

because the IdentityManager API should not depend on Yarep.

Any suggestions ;-)

(I will also think some more about it)
>
>
>> 2.  User gets the link via email which is then clicked to get to the 
>> change pw
>> screen. There user enters the new pw 2 times.  When this is 
>> submitted, the
>> backend system will match the radom id with what is in the central 
>> repository
>> and implement the appropriate rule(encrpty and update pw).  
>
> Correct, whereas as said we should be able to reuse/refactor the 
> existing backend code for the change password feature, so you should 
> not have to care about the details.
>
>
>> question:  Michael mentioned that the radomid link validation needs 
>> to be
>> configurable(12 hrs, 1 hr) etc.  Where is the best place to put that 
>> value? 
>
> It should probably be a resource-type property, as e.g. 
> "show-collections-only" in 
> http://yanel.org/yanel/resource-types/^http^3a^2f^2fwww.wyona.org^2fyanel^2fresource^2f1.0::lookup/yanel/doc/index.html 
> is.

@Guillaume: I think Prabodh is refering to the default expire period of 
a generated change-password link, or what do you mean with 
"show-collections-only"?

>
>> Also do we need admin UI to manage that data?
>
> I'd say we don't as it's not going to change often once projects are 
> humming happily.

the question might be what happens with change-password links which 
haven't been used or rather have been expired, because
I am afraid these will keep hanging within the repository
>
>
>> I would like to keep this simple straight forward for this phase. 
>> Once this is
>> stable then additional stuff.  
>
> Sure, let's try to keep things simple.

agreed :-)

Cheers

Michael
>
>
> Cheers,
>    Guillaume