Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Password Reset should be an option for logged-in users too

    Feature Requests
    7
    24
    669
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • marcusquinn
      marcusquinn last edited by marcusquinn

      Often a user will forget or get confused over passwords.

      My current instructions are that they need to go to my.example.com, logout and then do a password reset.

      Be better if there was a link to trigger the reset email link from already still being logged in too.

      We're not here for a long time - but we are here for a good time :)
      Jersey/UK
      Work & Ecommerce Advice: https://brandlight.org
      Personal & Software Tips: https://marcusquinn.com

      murgero 2 Replies Last reply Reply Quote 1
      • murgero
        murgero App Dev @marcusquinn last edited by

        @marcusquinn I just have my users use bitwarden lol IDK if a password reset link while logged in is a smart idea cause that allows anyone with access to their browser to just change the password.

        --
        https://urgero.org
        ~ Professional Nerd. Freelance Programmer. ~
        Matrix: @murgero:urgero.org

        marcusquinn 1 Reply Last reply Reply Quote 1
        • Moved from Support by  girish girish 
        • girish
          girish Staff last edited by

          You can also login in anonymous mode and get to password reset.

          marcusquinn 1 Reply Last reply Reply Quote 0
          • marcusquinn
            marcusquinn @murgero last edited by

            @murgero Not really, they would need access to both a logged in browser and email.

            We're not here for a long time - but we are here for a good time :)
            Jersey/UK
            Work & Ecommerce Advice: https://brandlight.org
            Personal & Software Tips: https://marcusquinn.com

            1 Reply Last reply Reply Quote 0
            • marcusquinn
              marcusquinn @girish last edited by

              @girish Use case:

              User: Marcus, what's my Password?

              Marcus: IDK, try resetting it at my.example.com

              That's where the conversation should then end - yet it does not.

              I've presented the problem and the solution, the rest's up to you 😉

              We're not here for a long time - but we are here for a good time :)
              Jersey/UK
              Work & Ecommerce Advice: https://brandlight.org
              Personal & Software Tips: https://marcusquinn.com

              girish 1 Reply Last reply Reply Quote 1
              • girish
                girish Staff @marcusquinn last edited by

                @marcusquinn this is only an issue because the user is already logged in, correct? I can look into what other services do.

                1 Reply Last reply Reply Quote 1
                • mehdi
                  mehdi App Dev last edited by

                  I don't know of any service that does this.

                  When I am on the other side of this problem, as a user, what I usually do is just open a Icognito browser window and do the reset there.

                  jdaviescoates 1 Reply Last reply Reply Quote 1
                  • jdaviescoates
                    jdaviescoates @mehdi last edited by jdaviescoates

                    @mehdi I think it's fairly standard to be able to edit one's password. Normally via something called Profile / Account / Settings or similar

                    e.g. WordPress

                    https://wordpress.org/support/article/resetting-your-password/

                    Same thing on cloudron.io 😏

                    Screenshot_20210828-212521.png

                    I use Cloudron with Gandi & Hetzner

                    1 Reply Last reply Reply Quote 1
                    • murgero
                      murgero App Dev @marcusquinn last edited by

                      @marcusquinn Oh! As an admin - why not send them a password reset link? You can do this in 2 clicks under users.

                      --
                      https://urgero.org
                      ~ Professional Nerd. Freelance Programmer. ~
                      Matrix: @murgero:urgero.org

                      robi 1 Reply Last reply Reply Quote 0
                      • robi
                        robi @murgero last edited by

                        @murgero that requires admin intervention, they should be able to do that in a self-service fashion.

                        Life of Advanced Technology

                        nebulon 1 Reply Last reply Reply Quote 1
                        • nebulon
                          nebulon Staff @robi last edited by

                          I am not sure what this really is about, but a user can edit his/her password through the Cloudron dashboard, but of course like with other services at least I am aware of, you have to provide the old password when setting a new one through a login session.

                          Password resets are instead verified by the email with the reset link.

                          I also don't think it is correct to allow password change without some kind of additional verification means otherwise if a valid access token leaks for a user, anyone with that token can change the password.

                          jdaviescoates 1 Reply Last reply Reply Quote 3
                          • jdaviescoates
                            jdaviescoates @nebulon last edited by jdaviescoates

                            @nebulon I think the request is basically about adding an "email me a password reset link" button to the existing page where users can change their password (if they know their PW), right @marcusquinn ?

                            I use Cloudron with Gandi & Hetzner

                            marcusquinn 1 Reply Last reply Reply Quote 1
                            • marcusquinn
                              marcusquinn @jdaviescoates last edited by marcusquinn

                              @jdaviescoates Exactly that. There's no issue with security because it's no different to getting the link when logged out.

                              It is a usability issue, in that you have to first logout to trigger the email reset link.

                              It would also be good if it is always available on a memorable link too, like: https://my.example.com/password-reset as it's easy to then type out, in response to this question that seems to come up a couple of times a month among 60 users.

                              We're not here for a long time - but we are here for a good time :)
                              Jersey/UK
                              Work & Ecommerce Advice: https://brandlight.org
                              Personal & Software Tips: https://marcusquinn.com

                              nebulon 1 Reply Last reply Reply Quote 1
                              • nebulon
                                nebulon Staff @marcusquinn last edited by

                                @marcusquinn I see github and the likes also show a password reset link in the profile. We can do this as well, as it essentially just prefills the regular password reset form with the email address.

                                There are two blocking issues, we need to fix first though:

                                1. Currently in a login session you could just change the email address right there and then trigger the password reset (this is already a bit of an issue so we will fix this anyways to require the password on email change)
                                2. Fix the password reset page to allow prefilling and directly jump into that form unlike now from the login page.
                                marcusquinn 1 Reply Last reply Reply Quote 2
                                • marcusquinn
                                  marcusquinn @nebulon last edited by

                                  @nebulon Sounds good - be happy with that!

                                  We're not here for a long time - but we are here for a good time :)
                                  Jersey/UK
                                  Work & Ecommerce Advice: https://brandlight.org
                                  Personal & Software Tips: https://marcusquinn.com

                                  nebulon 1 Reply Last reply Reply Quote 0
                                  • nebulon
                                    nebulon Staff @marcusquinn last edited by

                                    @marcusquinn this has been implemented now and will be part of the next release.

                                    marcusquinn 2 Replies Last reply Reply Quote 2
                                    • marcusquinn
                                      marcusquinn @nebulon last edited by

                                      @nebulon Magic - thank you kindly!

                                      Often I end up doing support over the phone or SMS without web access, so hoping this will make it easier to verbalise instructions without needing to copy/paste links.

                                      We're not here for a long time - but we are here for a good time :)
                                      Jersey/UK
                                      Work & Ecommerce Advice: https://brandlight.org
                                      Personal & Software Tips: https://marcusquinn.com

                                      1 Reply Last reply Reply Quote 2
                                      • marcusquinn
                                        marcusquinn @nebulon last edited by

                                        @nebulon Can I get an ETA on this, and what the URL will be please? (ideally something memorable, like my.example.com/password-reset)

                                        We're not here for a long time - but we are here for a good time :)
                                        Jersey/UK
                                        Work & Ecommerce Advice: https://brandlight.org
                                        Personal & Software Tips: https://marcusquinn.com

                                        nebulon 1 Reply Last reply Reply Quote 0
                                        • nebulon
                                          nebulon Staff @marcusquinn last edited by

                                          @marcusquinn So what has been implemented is a way to reset the password on behalf of the user as an admin. If I understand you correctly, then you also want a direct link for the user to reset the password on his/her own?

                                          This does already exist though: https://my.example.com/login.html?passwordReset
                                          Would that work for you?

                                          jdaviescoates marcusquinn 2 Replies Last reply Reply Quote 2
                                          • jdaviescoates
                                            jdaviescoates @nebulon last edited by

                                            @nebulon said in Password Reset should be an option for logged-in users too:

                                            @marcusquinn So what has been implemented is a way to reset the password on behalf of the user as an admin. If I understand you correctly, then you also want a direct link for the user to reset the password on his/her own?

                                            That was my understanding of what @marcusquinn wanted too - for already existing logged in users to be able to reset their own passwords...

                                            This does already exist though: https://my.example.com/login.html?passwordReset
                                            Would that work for you?

                                            Heh, I think that is exactly what @marcusquinn was after!

                                            That should be added to the docs somewhere!

                                            I use Cloudron with Gandi & Hetzner

                                            1 Reply Last reply Reply Quote 0
                                            • marcusquinn
                                              marcusquinn @nebulon last edited by

                                              @nebulon Kinda not so memorable. I can't be the only Sys Admin that gets requests day and night that you have to answer by phone and memory? Can we have a URL rewrite for /password-reset?

                                              We're not here for a long time - but we are here for a good time :)
                                              Jersey/UK
                                              Work & Ecommerce Advice: https://brandlight.org
                                              Personal & Software Tips: https://marcusquinn.com

                                              robi 1 Reply Last reply Reply Quote 1
                                              • robi
                                                robi @marcusquinn last edited by

                                                @marcusquinn said in Password Reset should be an option for logged-in users too:

                                                @nebulon Kinda not so memorable. I can't be the only Sys Admin that gets requests day and night that you have to answer by phone and memory? Can we have a URL rewrite for /password-reset?

                                                why not create a short URL that you'll remember?

                                                Life of Advanced Technology

                                                marcusquinn 1 Reply Last reply Reply Quote 2
                                                • marcusquinn
                                                  marcusquinn @robi last edited by

                                                  @robi Why not have as I've suggested? 🤷 This suggestion has a duplicate time cost and no benefit to any other CLoudron users.

                                                  It's considered feedback and a simple recommendation from trying to manage 50+ users of various computer literacy. The suggestion is good, and will help anyone else managing many variable Cloudron Users. No need for the debate time is starting to exceed the implementation time.

                                                  We're not here for a long time - but we are here for a good time :)
                                                  Jersey/UK
                                                  Work & Ecommerce Advice: https://brandlight.org
                                                  Personal & Software Tips: https://marcusquinn.com

                                                  robi 1 Reply Last reply Reply Quote 1
                                                  • robi
                                                    robi @marcusquinn last edited by

                                                    @marcusquinn because it already exists 🙂

                                                    Life of Advanced Technology

                                                    1 Reply Last reply Reply Quote 0
                                                    • First post
                                                      Last post
                                                    Powered by NodeBB