From 2df1d04278038a61ff58ac892bbee560d02584aa Mon Sep 17 00:00:00 2001 From: Martin Polanka Date: Tue, 10 Jan 2017 17:33:18 +0100 Subject: [PATCH] forgotten password --- Rewritten-docs.md | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/Rewritten-docs.md b/Rewritten-docs.md index 81465da..8adbd9c 100644 --- a/Rewritten-docs.md +++ b/Rewritten-docs.md @@ -529,6 +529,36 @@ for every assignment of the same exercise. This separation is natural for all users, in CodEx it is implemented in similar way and no other considerable solution was found. +### Forgotten password + +With authentication and some sort of dealing with passwords is related problem +with forgotten passwords. People easily forget them and there has to be some +kind of mechanism to retrieve new password or change old one. Problem is it +cannot be done in totally secure way but we can at least come quite close to it. +But lets start from the beginning there are ways to handle that which are +absolutely not secure and recommendable, for example sending old password +through email. Better solution but still not secure is to generate new one and +again send it through email. This solution was provided in CodEx, users had to +write email to administrator who generated new password and sent it back to +sender. This simple solution could be also automated but administrator had quite +a big control over whole process which might come in handy there could be some +additional checkups for example, but on the other hand it can be quite time +consuming. + +Probably the best solution which is quite used and fairly secure is following. +Lets consider only case in which all users have to fill email addresses into +system and these addresses are safely in the hands of the right users. At the +beginning user finds out that he/she does not remember password after that user +requests password reset and fill in his/her unique identifier, it might be email +or unique nickname. Based on matched user account system generates unique access +token and sends it user email address. Tokens should be time limited and usable +only once so they cannot be misused. User then takes token or address which was +provided in email and go to system in appropriate section, where new password +can be set. After that user can sign in with his new password. As stated this +solution is quite safe and user can handle it on its own administrator does not +have to worry about it. That is why this approach was chosen to be used in +ReCodEx. + ### Evaluation unit executed by ReCodEx One of the bigger requests for the new system is to support a complex @@ -1455,8 +1485,6 @@ thanks to the simple authentication flow. Replacing these services in a Nette application is also straightforward, thanks to its dependency injection container implementation. -@todo: solution of forgotten password, why this in particular - @todo: rest api is used for report of backend state and errors, describe why and other possibilities (separate component) @todo: mail reports - to users, admins