I have created a new Notification file for when certain account details are modified (username, password, email ...) to send a notification to the user informing of important changes to his account.
I have copied the ResetPassword Notification and customized it because I want the link that sends the user to the screen to retrieve the password.
The implementation works to a certain extent, the email is sent with a link that takes you to the screen to recover the password, however when I try to reset the password nothing happens and the email cell is marked in red.
What should I do?
Related
We have a working a custom credential provider,
and a working way to change password when user is logged in.
We are trying to handle the use-case of changing password when the
password is known as expired.
We managed to get the status in ReportResult:
STATUS_PASSWORD_MUST_CHANGE we save that the password must change.
Windows display a message to say, the user need to change his password,
but when clicking on OK, it fallback to logon screen, not our CPUS_CHANGE_PASSWORD scenario.
We have tried to force this scenario when enumerating credentials, but still, the LOGON UI is still drawn instead of the CPUS_CHANGE_PASSWORD one.
How can we do to redraw the UI with the correct Scenario after clicking on OK?
Thanks
I have an application where a user (we will call 'original user') can create a 'plan' and then add other user's to that 'plan' so they can view the 'plan'. The original user can simply enter the email address of the user they want to add. If that user already exists, the user will be added to the plan and there are no issues.
In the case that the user does not exist, I am having the original user enter the email address and an initial password for that user. I can trigger an email to go to the new user to notify them. The new user is added to the Plan Mapping table so they are attached to that plan.
The vulnerability in my approach is that the original user could start creating accounts for people inappropriately and that the original user has to tell the new user their password or the new user has to hit 'Forgot Password' the first time they log in.
It would be ideal for the original user simply to add an email for the user they want to add to the plan. If the user exists, the user is added to the plan automatically. If the user does not exist, they are added to the Plan Mapping somehow and sent an email with a token to create an account.
I know how to send an Activation email. However, that doesn't work because the password is still created by the original user. I don't know how I could send an email with that user to sign up and then automatically do the Plan Mapping after that user signs up.
1) You could create a user without password.
2) When create a signed url for the new user and send it via email. https://laravel.com/docs/6.x/urls#signed-urls
3) User will get to the link you have create and will have to enter a new password.
I am using Laravel 5.4 to make an in-house app that does not have any authentication (out of my control). A user submits information, and an email is sent to a manager with the info and they can either accept/reject it by clicking on a button. If they click on the accept button a new window opens up where they can do stuff like change the user submitted information.
A token is generated and sent in the email so when the manager presses the accept button the token is sent along in the URL. How can I verify that the token is valid (matches what is saved in the database) before allowing them to make any updates or changes? Is possible to block access to the route so they cant even open the webpage if the token is invalid?
I would also appreciate other ideas on how to best protect the app without using authentication
I'm using Parse javascript API. If a user has logged out, I will not have a 'currentUser'. Therefore, when I try to use the Parse.User.requestPasswordReset call, it will not work. Is there another way to offer users a way to reset their password if they have been logged out? It seems strange that having a currentUser is required.
It isn't required. You don't say why you think it is, but only an e-mail address is required in order to request a reset (as the result is an e-mail being sent to the user). It's normal to simply have the user type their e-mail address in to trigger the reset logic. Indeed if the user was logged in you would need to be careful about allowing e-mail address editing and then password reset selection...
When a user initially signs up through my app on Parse.com, they supply a username, an email address, and a password.
They verify that email address before they can start using the Parse.com functionalities. So now the user has a valid username, email address and password.
Then, consider this scenario:
1) The user changes his or her email address. 2) The user fails to validate the new email address. 3) The user doesn't use the app for a while. 4) The user forgets his or her password. 5) The user asks to reset the password.
If the user used his or her old email address for the password reset, that address is now gone and the user won't be able to reset the password using that email address.
If the user used the new email address, that address is not verified. Furthermore, it might not have been verified because it could have been typed in wrongly. So the user won't be able to reset the password using that email address.
How is this supposed to have gone down? Is there any way to keep the old email address until the new email address has been verified? That is the only way I can see that this would work.
Have you tried to use the Trigger features from Parse CloudCode?
https://parse.com/docs/cloudcode/guide#cloud-code-aftersave-triggers
Here you can perform code before or after some Object changing. So you can do what you suggested in the bottom of your question: save in another field de old email when the email or emailVerified fields changes.