forgotten password

master
Martin Polanka 8 years ago
parent 6807b5057c
commit 2df1d04278

@ -529,6 +529,36 @@ for every assignment of the same exercise. This separation is natural for all
users, in CodEx it is implemented in similar way and no other considerable users, in CodEx it is implemented in similar way and no other considerable
solution was found. solution was found.
### Forgotten password
With authentication and some sort of dealing with passwords is related problem
with forgotten passwords. People easily forget them and there has to be some
kind of mechanism to retrieve new password or change old one. Problem is it
cannot be done in totally secure way but we can at least come quite close to it.
But lets start from the beginning there are ways to handle that which are
absolutely not secure and recommendable, for example sending old password
through email. Better solution but still not secure is to generate new one and
again send it through email. This solution was provided in CodEx, users had to
write email to administrator who generated new password and sent it back to
sender. This simple solution could be also automated but administrator had quite
a big control over whole process which might come in handy there could be some
additional checkups for example, but on the other hand it can be quite time
consuming.
Probably the best solution which is quite used and fairly secure is following.
Lets consider only case in which all users have to fill email addresses into
system and these addresses are safely in the hands of the right users. At the
beginning user finds out that he/she does not remember password after that user
requests password reset and fill in his/her unique identifier, it might be email
or unique nickname. Based on matched user account system generates unique access
token and sends it user email address. Tokens should be time limited and usable
only once so they cannot be misused. User then takes token or address which was
provided in email and go to system in appropriate section, where new password
can be set. After that user can sign in with his new password. As stated this
solution is quite safe and user can handle it on its own administrator does not
have to worry about it. That is why this approach was chosen to be used in
ReCodEx.
### Evaluation unit executed by ReCodEx ### Evaluation unit executed by ReCodEx
One of the bigger requests for the new system is to support a complex One of the bigger requests for the new system is to support a complex
@ -1455,8 +1485,6 @@ thanks to the simple authentication flow. Replacing these services in a Nette
application is also straightforward, thanks to its dependency injection application is also straightforward, thanks to its dependency injection
container implementation. container implementation.
@todo: solution of forgotten password, why this in particular
@todo: rest api is used for report of backend state and errors, describe why and other possibilities (separate component) @todo: rest api is used for report of backend state and errors, describe why and other possibilities (separate component)
@todo: mail reports - to users, admins @todo: mail reports - to users, admins

Loading…
Cancel
Save