Skip to main content

Reset password

Use cases

  • As a user I want to reset password so that I can continue working with my account

Principles

  • password reset operation is secured by 6-digit verification code sent to the email
  • code is correct -> it is possible to reset password for an unlimited amount of times
  • code is wrong -> tries amount is limited to 3 times per hour per profile
  • passord is reset for CDoc<sys.Login>, not for CDoc<sys.UserProfile>
  • c.sys.ResetPasswordByEmail has no rate limits

Functional design

  • sys/registry/pseudoProfileWSID/q.sys.InitiateResetPasswordByEmail
    • null auth
    • loginApp/profileWSID/q.sys.InitiateEmailVerification is called under the hood with forRegistry mark with system auth
  • sys/registry/pseudoProfileWSID/q.sys.IssueVerifiedValueTokenForResetPassword
    • null auth
    • loginApp/profileWSID/q.sys.IssueVerfiedValueToken is called under the hood with forRegistry mark with system auth
  • sys/registry/pseudoProfileWSID/c.sys.ResetPasswordByEmail
    • null auth

Technical design

Notes:

  • c.sys.ResetPasswordByEmail called at pseudo profile because CDoc<sys.Login> is located there
  • q.sys.InitiateEmailVerification should be called at login's app:
    • profileWSID exists at the login's app
    • we call sys/registry/profileWSID/q.sys.InitiateEmailVerification
    • we should get "workspace not inizalized error" but we do not because query processor currently does not checks that
    • we got "workspace is not initialized error" when c.sys.SendEmailVerification because command processor checks that
    • conclusion - should call loginApp/profileWSID/q.sys.InitiateEmailVerification
  • q.sys.IssueVerifiedValueToken should also be called at loginApp because it accepts a token issued for loginApp, not for sys/registry

Limitations

  • //TODO issued Principal Tokens are kept valid after password reset
  • //TODO works only if Login == Email
  • //TODO it is possible to reset password for an unlimited amount of times when the verified value token is still valid (10 minutes)
  • //TODO WSID where the token is using must be the same the token is issued for. To be done in Check WSID on Verified Field value apply

Appendix: Best practices

Google

  • account with phone (not confirmed) and an alternative email
    • never logged in
      • via alternative email
        • enter the alternative email
          • wrong -> error
        • 6-digit code is sent to the alternative email
        • wrong code enter for 3 times -> "Too many retires. Try again later"
      • via phone
        • asked the telephone number
          • wrong -> error
        • 6-digit code is sent via SMS
        • 3 times entered wrong -> Too many retries. Try again later
        • "I don't have my phone" button pressed
          • enter the alternative email
            • wrong -> error
            • 6-digit code is sent to the email
            • Try another way button pressed -> "You did not provided enough info to restore".
    • logged in, then logged out
      • "Forgot password" button pressed
      • "Try anoter way" button pressed
      • "You could change the password because you have already log in on this device". Suggested to enter a new password w\o any codes
  • account w\o phone and alternative email
    • "forgot password" pressed for the account that has neither phone nor alternative email -> "failed to ensured that it is your account". Impossible reset the password.

Amazon

  • aked for 6-digit code sent to the email, then suggested to enter a new password
  • wrong code entered for 10 times -> stop to ask the code, back to the form with email input box. I.e. the sent code becomes obsoleted after 10 tries.