The steps mentioned at Reset User Password seems a bit confusing to me.
For example, A user normally reset his password because he cannot remember existing one.
Now, the above link mentions that
The refresh token can be retrieved by calling user.token after logging in via Realm.Sync.User
But, as user does not know his current password, how can the app get the refresh token?
I seem to be missing something here, not sure what..
Would be nice if someone could explain the complete steps for password reset by user.
"Password reset" is a bit of a misnomer. The functionality in question is intended for a logged-in user to change their own password (for example, from a "Settings" or "Profile" screen), or for a user with administrative privileges to change an arbitrary user's password.
There is another common use case in which a user who is logged out and does not remember their password wishes to reset it. In many cases this process involves sending them an email with a link which, upon being visited, will allow them to specify a new password. The Realm Object Server doesn't support this sort of password reset out of the box; you may want to file an issue at its issue tracker to request it (since it seems quite important).
Related
Just a quick question. I have setup a backend using Firebase and I am using swift. I have the create a user, login a user and forgot a password all working correctly. But does anyone know how to check when a user logs in if they are using the reset password from the email which was sent out.
What I want to do is check upon login if they are using the email reset password and if so I can then enforce a password change upon them. I cannot seem to find out how to do this.
Thanks
Once a user requests a forgot password email, they will receive an email with a temporary (24 hour) token that they must log-in with and then change their password from there.
Check the documentation for more information regarding password and email changes within your application. https://www.firebase.com/docs/ios/guide/login/password.html
The way I handled this was slightly differently than what you described, but it gets to the same place. After the user gets a temporary password they are prompted to enter in the temporary password sent to their email. Immediately after they enter it they are then asked to change their password to something new before they can proceed. I figured those temporary passwords are so complex no one is going to remember or hold onto them for long, so it's best to get them using their own password ASAP.
https://firebase.google.com/docs/reference/ios/firebaseauth/api/reference/Classes/FIRAuth
In Swift 3.x and Firebase 3.x
FIRAuth.auth()?.sendPasswordReset(withEmail: email) { error in
// Your code here
}
Firebase 4 Version
Auth.auth().sendPasswordReset(withEmail: email) { error in
// Your code here
}
I'm trying to create a new user in MODX REVOLUTION 2.3.0 but for some reason, the user cannot access the manager area. I tried to clear every bit of cache as well as to made sure the password is created by the system (email has been sent) and the user belongs to the Users Group.
Strangely, when looking at the user settings, it says that the user has made some 10 logins, but in reality, he has not.
When I type a wrong password, I get the wrong password error message, when I type a correct password, the input field gets cleared and nothing else happens.
Any idea how to solve this?
Thanks.
It seems that user don't have access to mgr context. Any user needs «frames» permission to get access to the manager.
Try to update user's data and make him a sudoer. It'll help to understand if wrong permissions cause the problem.
Exactly. Like #proxyfabio said, he needs access to the manager. To at least asses if the user login works, give him temporary SUDO rights. If that works, work your way from the ground up.
Make sure an Access Policy Template and Access Policy is created. Make sure the policy contains "frames" and is checked at the Policy Template edit screen. Next, PLEASE, make a separate Role, like "Customer". Go into the Aministrator group (or again, PLEASE, create a Customer group) and head on over to the Users tab. Add the User to the group with the Role Customer - "your level" (I usually use increments of 500 or 1000).
Under Context Access, add the user to the mgr context with the specified role and your Customer policy. Do the same for web if you with to avoid any in depth issues.
Finally, save your settings, flush your permissions, clear your cache and optionally flush your sessions table (you can also delete cookies for the browser you're using). When you've done all that, create an Incognito tab in Chrome or Firefox to avoid issues and try the login again.
I have somewhat the same issue if I try login a duplicate manager user from an android phone, the login count goes up, wrong password gives error and correct password just refresh the login page.
However logging in from a computer works. Initially it didn't...
Here are my steps:
Duplicate manager user
Set new password
Login fails
Click forget login for e-mail
Login successfully (computer) with the new generated password
Change original password to original password!? :D
Login works everywhere except my phone
Here's the scenario:
A hacker hijacks the account of a user on my site. The hacker changes the password. My site sends out an email to the user's contact email address with a link containing a url with a hash value to reset the password. The hacker then changes the user's contact email address the following day. My site then sends out an email to the old and new email addresses.
Most answers here have said that the recovery hash should be valid for an hour. But what if the user is away from home and doesn't get the emails until a week later after the hash has expired? The user's password has been changed and can't get a new recovery email either. The user has now lost the account and has no way to recover it. Shouldn't the hash remain valid for a week or two, or until it is used?
And what happens if the hacker, knowing how this mechanism works on most sites, claims to forget the password and requests a new one. Should the site generate a new hash, replacing the old one, thereby rendering the real user's reset hash invalid? Or should the site not change the hash, and send out the same hash again? But now, both the real user and the hacker have a hash to reset the password?
I'm sooooo confused... Maybe there's no perfect solution to this problem...
Any other technique? I, personally, don't like "secret questions" because, more often than not, they provide a back door to hack into someone's account. When sites require them from me, I type gibberish as the answer.
BTW, I know there are similar questions like this, and I would have preferred to ask for clarification in a comment to an existing question rather than open a new question, but I don't have high enough reputation to add a comment to someone else's question.
I would set the hash until activated and a caphata is done because the hacker could use a bot to get on the website.
Edit: The Hacker will not know secret password for reset verification.
I intend to build a customized logic on Devise on Rails. Here is the logic: user can try to login, and if the does not exist, then it will create the account for the user. Just to skip the registration process.
Now sure how to hack into Devise. Please help!
Thank you in advance!
Edit: Sorry that I didn't make it clear enough: I have implement the on-create-validation on the user model to authenticate with another system. Logic is:
If success with another system's authenticator, then create a new user with the same password and login user.
Else login fail.
You know that if someone make typo he will create new account and will be mad that all of his/her stuff disappeared? When there is small amount of user then it isn't problem. But when your society will grow then it can make you some black-PR. You should rather check by AJAX call that there is user with that email/username/nick and if not then show the registration form, but on other hand this can be security issue if your users are signing in using non-public data like email or if username is different from nickname shown on your page.
Why would you want to skip the registration process? I don't see any benefits.
First, the user can enter the wrong username or password by accident.
Second, the user can enter the right username, but the wrong password. So he/she already is a registered user, but still get a new account.
Third, when a new user is automatically registered, how does the user actually now what his username or more importantly, his password will be?
Personally, why not just add "Remember Me" or "Forgot Password?" to your login form. If, for any reason, the user doesn't want to enter his login data or simply doesn't know his password required to login he can use these options.
Or, if you are working with permissions, why not just make a guest user if someone is not logged in?
What if they type in the wrong password or username on accident? Then you just automatically create them an account? IMO that would be a bad user experience. You either know your account or you don't. If you have an account and can't remember then you use the 'Forgot my ...'. If you don't have an account, then you go signup. You could implement oAuth and use accounts from a multitude of sites (i.e. Github, Twitter, Facebook, etc.) that would make it easier.
I'm trying to do the following: I have a page with a form for login and password.
Is it possible to use this form for both registration and authorization. For example i'm visiting the page for the first time and enter my email and password. Then if such email already exists i get an error, otherwise an account is created for me. Searching for the way of implementing this gave no results.
Does anyone know hot to make it possible?
This approach has one drawback: If user mistyped password then he would probably never login again. Solution - to use email for password recovery.
Other approach is to let user input email and while user will type password check if email is already in database. If it's not available then add password confirmation field to the form.
How to make it possible? Just program the necessary logic on server-side and client-side.