I'm using Parse javascript API. If a user has logged out, I will not have a 'currentUser'. Therefore, when I try to use the Parse.User.requestPasswordReset call, it will not work. Is there another way to offer users a way to reset their password if they have been logged out? It seems strange that having a currentUser is required.
It isn't required. You don't say why you think it is, but only an e-mail address is required in order to request a reset (as the result is an e-mail being sent to the user). It's normal to simply have the user type their e-mail address in to trigger the reset logic. Indeed if the user was logged in you would need to be careful about allowing e-mail address editing and then password reset selection...
Related
We have a working a custom credential provider,
and a working way to change password when user is logged in.
We are trying to handle the use-case of changing password when the
password is known as expired.
We managed to get the status in ReportResult:
STATUS_PASSWORD_MUST_CHANGE we save that the password must change.
Windows display a message to say, the user need to change his password,
but when clicking on OK, it fallback to logon screen, not our CPUS_CHANGE_PASSWORD scenario.
We have tried to force this scenario when enumerating credentials, but still, the LOGON UI is still drawn instead of the CPUS_CHANGE_PASSWORD one.
How can we do to redraw the UI with the correct Scenario after clicking on OK?
Thanks
I am working on a Laravel project. I need to be able to create a user, mark that user with a number for their 'plan_id', and then invite them to log in and change their password. Currently, I am creating a user, adding the 'plan_id', and setting the password to a generic term like 'password'. I don't have info like their SSN or DOB that I could set it to initially.
While this does work, I don't know that it follows best practices. The only other thing I can think of is setting up another table that matches up the user's email address to the 'plan_id'. I don't want to do this because it makes it possible that the user accidentally signs up with another email and can't figure out why their portal is not working.
It doesn't sound like a great idea to set all new passwords to "password". It looks like your application is creating users, then letting each user know they have an account, as opposed to the user initiating this process. This would mean that you can't have the user pick a password.
Consider not creating a password at all, but sending an email to each new user containing a link to your system with a unique key that you store in the database user record. The user could then access the system, and it would ask them to pick an email and password to be registered with. You could have the keys expire after a number of days.
The easiest way to do this would be to generate a completely random password for the user and then email them a password reset link. The potential pitfall of this is that password reset links expire, by default after 1 hour though you can change it in config/auth.php.
I would like to know if it's a good practice in terms of security to send the decrypted password to a new user by email. Someone could tell me his feeling?
If i would like to send the password decrypted should i use this ?
$decrypt= Crypt::decrypt($user->password);
thanks a lot in advance
You can't decrypt hashed password. The good practice is to use Laravel resetting password feature.
Once you have defined the routes and views to reset your user's passwords, you may simply access the route in your browser at /password/reset. The ForgotPasswordController included with the framework already includes the logic to send the password reset link e-mails, while the ResetPasswordController includes the logic to reset user passwords.
After a password is reset, the user will automatically be logged into the application and redirected to /home
https://laravel.com/docs/5.4/passwords
Based on the comments:
Once user is register send him/her a link to create a new password.
If you don't want to allow them to access other pages until they create a new password. Add the middleware to check whether user has create a new password or not.
From view point of security, password must be hashed value. You shouldn't use encryption/decryption for password.
I would need a readout of joomlas user password in plain style to give special users the ability to send a mail in a custom module with login details like:
https://mydomain/login?user=testuser
password = testuserpassword
For that reason I need the plain passowrd out of the DB. Is there a way to show/read out password from joomla-db in plain style?
Thx in advanced!
Joomla saves the passwords in the database using a one way encryption mechanism, which means that you cannot know what the password is.
I am sure what you're doing can be done in a different method - if you want to login users automatically once they click on a link then you can have a different authentication plugin that will use a random, unique, one-time-use, and time-sensitive hash that will be associated with a Joomla user account.
You need to create a plugin with function after joomla user save
you need to store password in another table with user id and then you can use with sql query to get password.
This is a bad idea for the following reasons:
email is sent in plain text
email often is stored on several systems along the way to your mailbox
email often is stored on your computer in plain text or other unencrypted format
many copies may exist in many places, even after "deletion"
even encrypted email can be broken in to, given enough computing time
your account's security may have been compromised even before you read your email (changing the password will not help in this case)
However, you definitely can email the user their password upon initial registration by going to Global Configuration > Users and setting Send Password to "Yes" (default setting in Joomla 3.x).
If you are looking for a way to send this password after the registration event, as others have mentioned, you are out of luck. What Joomla! provides is a secure password reset functionality to reset a password to something the user can remember. This will be the best approach for you, as well.
Resources: Sending Passwords in Email, Stop Joomla Sending Passwords in Emails
When a user initially signs up through my app on Parse.com, they supply a username, an email address, and a password.
They verify that email address before they can start using the Parse.com functionalities. So now the user has a valid username, email address and password.
Then, consider this scenario:
1) The user changes his or her email address. 2) The user fails to validate the new email address. 3) The user doesn't use the app for a while. 4) The user forgets his or her password. 5) The user asks to reset the password.
If the user used his or her old email address for the password reset, that address is now gone and the user won't be able to reset the password using that email address.
If the user used the new email address, that address is not verified. Furthermore, it might not have been verified because it could have been typed in wrongly. So the user won't be able to reset the password using that email address.
How is this supposed to have gone down? Is there any way to keep the old email address until the new email address has been verified? That is the only way I can see that this would work.
Have you tried to use the Trigger features from Parse CloudCode?
https://parse.com/docs/cloudcode/guide#cloud-code-aftersave-triggers
Here you can perform code before or after some Object changing. So you can do what you suggested in the bottom of your question: save in another field de old email when the email or emailVerified fields changes.