Page MenuHomePhabricator
Create Task
Maniphest T116110

Add method for user to request a password reset
Closed, ResolvedPublic
Actions

Description

Add a new screen that allows a user to request a password reset in the event of lost password/username.

The screen will allow an unauthenticated user to enter an email address that they believe is associated with an account. The response to submitting this form will always be a screen telling the user that an email has been sent to the provided email address with instructions for account recovery. There will be no indication of whether or not the email address submitted is associated with an account.

The application will create a one-time use token and store it in the database. That token will be associated with the user account associated with the provided email address.

The email sent to the user will provide the username associated with the email address and a URL containing the one-time use reset token. Visiting this URL will check that the token is unused/unexpired. If it is then the user will be allowed to enter a new password for the account. If the token is invalid then the user will be allowed to request a new token.

Details

SubjectRepoBranchLines +/-
Add support for self-service password resetswikimedia/iegreviewmaster+462 -3
Customize query in gerrit

Related Objects

Event Timeline

bd808 created this task.Oct 20 2015, 11:13 PM
bd808 claimed this task.
bd808 raised the priority of this task from to High.
bd808 updated the task description. (Show Details)
bd808 added a project: Wikimedia-IEG-grant-review.
bd808 subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 20 2015, 11:13 PM
bd808 added a comment.Oct 21 2015, 12:27 AM

Wisdom from our security team:

Token should be about 128 random bits, either hex or b64 encoded. Ideally, save a hash of the token you send to the user in the database, so a DB compromise doens't let you compromise current reset tokens.

gerritbot subscribed.Oct 21 2015, 3:58 PM

Change 247858 had a related patch set uploaded (by BryanDavis):
Add support for self-service password resets

https://gerrit.wikimedia.org/r/247858

gerritbot added a project: Patch-For-Review.Oct 21 2015, 3:58 PM
gerritbot added a comment.Oct 22 2015, 4:57 PM

Change 247858 merged by jenkins-bot:
Add support for self-service password resets

https://gerrit.wikimedia.org/r/247858

bd808 closed this task as Resolved.Oct 22 2015, 8:17 PM

Changes have been deployed to https://iegreview.wikimedia.org/ and verified there.

bd808 moved this task from Backlog to Archive on the Wikimedia-IEG-grant-review board.Oct 23 2015, 2:45 AM
bd808 mentioned this in T90301: Add "forgot my password" support for self-service password resets.Oct 27 2015, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL