-
|
I'm working on resetting passwords and I would like to inquire about some options. First, is there a way for me to fail silently or otherwise keep the user in the dark about whether or not a login exists? For example, if no email login "[email protected]" exists, I would like to send back a generic message like "If this login has a password, we will send you a reset email." Currently, if you enter a login that does not exist, Rodauth explicitly tells you this and either sends back a "success" JSON or "error" JSON, but I'd like it to send an "info" JSON in both cases. Second, is there an option to allow resetting password to current password? The current behaviour is to fail the reset attempt and return error "same as current" if I reset to the current account's password. I would like for the user to reset their password to whatever they wish, even if it is their current password, as they have forgotten. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
If you're looking for something like the "paranoid" mode from Devise, Rodauth won't support this feature out-of-the-box, this discussion lays out some reasons. I've recently been investigating what would it take to support this in an external extension, but have come across some obstacles like what to do for accounts that don't have passwords set, so I let it go for now. For reset password, the following configuration should work: reset_password_email_sent_notice_flash "If this login has a password, we will send you a reset email"
reset_password_request_error_flash do
if account
super()
else
# don't reveal that the account with the given email didn't exist
set_notice_flash reset_password_email_sent_notice_flash
redirect reset_password_email_sent_redirect
end
endNote that to be consistent, you'd probably need to update places such as the login form to hide existence of the email address as well, which isn't trivial. For example, while GitHub provides an agnostic error message in its login form, the registration form will happily asynchronously tell you whether the email address exists without even having to submit the form 🤷🏻♂️ |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the update. I will think on this, as it's not necessarily a big deal. I think the more important thing for me would be being able to reset to the current password, as the user forgot. |
Beta Was this translation helpful? Give feedback.
If you're looking for something like the "paranoid" mode from Devise, Rodauth won't support this feature out-of-the-box, this discussion lays out some reasons. I've recently been investigating what would it take to support this in an external extension, but have come across some obstacles like what to do for accounts that don't have passwords set, so I let it go for now.
For reset password, the following configuration should work: