Skip to content
This repository has been archived by the owner on Dec 2, 2024. It is now read-only.

allow for password recovery #133

Open
JoshAtticus opened this issue Dec 9, 2022 · 10 comments
Open

allow for password recovery #133

JoshAtticus opened this issue Dec 9, 2022 · 10 comments
Labels
enhancement New feature or request Medium Priority needed but small issue
Milestone

Comments

@JoshAtticus
Copy link
Member

A common thing people do is change their password, then forget it, but still remember their old one.

A useful feature would be to store the previous password (hashed) for 14 days after the password is changed.

When a password is entered, the server would check the main password, but if it doesn't match, it would check the previous password (if applicable).

If the password matches the previous password variable, but not the primary variable, it would send a status code informing the client that the password was valid within the past 14 days, but was changed (time) ago from a (device) in (location). It should not allow the user to log in as then anyone with the previous password can log in which is a security vulnerability.

Obviously, the time, device, and location info will need to come from somewhere other than a status code, for example, stored hashed by the previous password on the API.

I also have a mockup of a popup showing this feature put to use:
image

When the user contacts [email protected] to change the password, the support person should be able to switch the previous and primary password variables around, making the previous password the primary password. If emails are added in the CL4 port, you should also require a code from an email for added security.

@Bloctans
Copy link
Member

Bloctans commented Dec 9, 2022

epic idea

@MikeDev101 MikeDev101 added enhancement New feature or request CloudLink related For issues specific to the Cloudlink protocol. Server-side Medium Priority needed but small issue labels Dec 9, 2022
@JoshAtticus
Copy link
Member Author

Updates?

@JoshAtticus
Copy link
Member Author

Updates? @tnix100 cc @MikeDev101

@tnix100
Copy link
Member

tnix100 commented Feb 10, 2023

Updates? @tnix100 cc @MikeDev101

working in CL4 port
image

@JoshAtticus
Copy link
Member Author

Updates? @tnix100 cc @MikeDev101

working in CL4 port image

oooh, nice

@tnix100
Copy link
Member

tnix100 commented Feb 10, 2023

oh, except for the storing previous password thing, but at least email password recovery is working

@JoshAtticus
Copy link
Member Author

oh, except for the storing previous password thing, but at least email password recovery is working

Storing the old password hashed by itself would probably work as a backup method.

@MikeDev101
Copy link
Contributor

oh, except for the storing previous password thing, but at least email password recovery is working

Storing the old password hashed by itself would probably work as a backup method.

@tnix100 Could we possibly store a record of previous password hashes, and clear them out every 30 days? That could make the previous password notice work.

@MikeDev101 MikeDev101 added Cloudlink4 and removed CloudLink related For issues specific to the Cloudlink protocol. labels Feb 10, 2023
@MikeDev101
Copy link
Contributor

Relabeled for relevancy.

@tnix100
Copy link
Member

tnix100 commented Feb 10, 2023

oh, except for the storing previous password thing, but at least email password recovery is working

Storing the old password hashed by itself would probably work as a backup method.

@tnix100 Could we possibly store a record of previous password hashes, and clear them out every 30 days? That could make the previous password notice work.

Storing them in a separate db collection with a timestamp, we could have a TTL index that auto removes items that have a timestamp greater than 30 days old.

@MikeDev101 MikeDev101 changed the title Allow for password recovery [cl4 | latest] Allow for password recovery Mar 3, 2023
@showierdata9978 showierdata9978 changed the title [cl4 | latest] Allow for password recovery [1.9-1.10] Allow for password recovery Dec 29, 2023
@williamhorning williamhorning changed the title [1.9-1.10] Allow for password recovery allow for password recovery Aug 15, 2024
@williamhorning williamhorning added this to the rest api v1 milestone Aug 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement New feature or request Medium Priority needed but small issue
Projects
None yet
Development

No branches or pull requests

5 participants