open-duelyst/duelyst

[P2] Add password reset tokens

Open

Aperta il 16 ott 2022

Vedi su GitHub
 (1 commento) (1 reazione) (0 assegnatari)JavaScript (3443 star) (526 fork)batch import
backendenhancementhelp wanted

Descrizione

Summary

Since we removed email-based forgot password flows (see git log for original code), we should add an alternative system for password resets. One way to do this is with "recovery tokens", as seen on sites with MFA flows. We could give a user one recovery token which can be used to validate a one-time password reset, which then grants a new recovery token. These could be stored as (user_id, token) in a new Postgres table, and can be deleted after successful use.

Guida contributor

Tech stack
javascriptpostgresql
Dominio
backendauthentication
Tipo issue
feature
DifficoltàQuanto dovrebbe essere impegnativa per un nuovo contributor.
3
Tempo stimatoTempo stimato per completare e verificare uno scope piccolo.
half day
Stato attivitàQuanto è probabile che la issue sia ancora attiva e reviewable.
fresh
ChiarezzaQuanto chiaramente la issue descrive problema, scope e risultato atteso.
clear
Prerequisiti
JavaScriptBasic SQLAuthentication concepts
Adatta ai principiantiQuanto la issue è adatta a contributor alla prima esperienza.
50
Direzione di ricerca
Examine the existing authentication flow in the repository to understand how sessions are managed and where token validation occurs. Look for the previous email based forgot password code in git history. Implement a new Postgres table for recovery tokens with user id and token fields, and create endpoints to generate and validate tokens. Ensure tokens are hashed before storage and deleted after successful use.