Password Reset should be an option for logged-in users too

robi

@murgero that requires admin intervention, they should be able to do that in a self-service fashion.

nebulon

I am not sure what this really is about, but a user can edit his/her password through the Cloudron dashboard, but of course like with other services at least I am aware of, you have to provide the old password when setting a new one through a login session.

Password resets are instead verified by the email with the reset link.

I also don't think it is correct to allow password change without some kind of additional verification means otherwise if a valid access token leaks for a user, anyone with that token can change the password.

jdaviescoates

@nebulon I think the request is basically about adding an "email me a password reset link" button to the existing page where users can change their password (if they know their PW), right @marcusquinn ?

marcusquinn

@jdaviescoates Exactly that. There's no issue with security because it's no different to getting the link when logged out.

It is a usability issue, in that you have to first logout to trigger the email reset link.

It would also be good if it is always available on a memorable link too, like: https://my.example.com/password-reset as it's easy to then type out, in response to this question that seems to come up a couple of times a month among 60 users.

nebulon

@marcusquinn I see github and the likes also show a password reset link in the profile. We can do this as well, as it essentially just prefills the regular password reset form with the email address.

There are two blocking issues, we need to fix first though:

1. Currently in a login session you could just change the email address right there and then trigger the password reset (this is already a bit of an issue so we will fix this anyways to require the password on email change)
2. Fix the password reset page to allow prefilling and directly jump into that form unlike now from the login page.

marcusquinn

@nebulon Sounds good - be happy with that!

nebulon

@marcusquinn this has been implemented now and will be part of the next release.

marcusquinn

@nebulon Magic - thank you kindly!

Often I end up doing support over the phone or SMS without web access, so hoping this will make it easier to verbalise instructions without needing to copy/paste links.

marcusquinn

@nebulon Can I get an ETA on this, and what the URL will be please? (ideally something memorable, like my.example.com/password-reset)

nebulon

@marcusquinn So what has been implemented is a way to reset the password on behalf of the user as an admin. If I understand you correctly, then you also want a direct link for the user to reset the password on his/her own?

This does already exist though: https://my.example.com/login.html?passwordReset
Would that work for you?

jdaviescoates

@nebulon said in Password Reset should be an option for logged-in users too:

@marcusquinn So what has been implemented is a way to reset the password on behalf of the user as an admin. If I understand you correctly, then you also want a direct link for the user to reset the password on his/her own?

That was my understanding of what @marcusquinn wanted too - for already existing logged in users to be able to reset their own passwords...

This does already exist though: https://my.example.com/login.html?passwordReset
Would that work for you?

Heh, I think that is exactly what @marcusquinn was after!

That should be added to the docs somewhere!

marcusquinn

@nebulon Kinda not so memorable. I can't be the only Sys Admin that gets requests day and night that you have to answer by phone and memory? Can we have a URL rewrite for /password-reset?

robi

@marcusquinn said in Password Reset should be an option for logged-in users too:

@nebulon Kinda not so memorable. I can't be the only Sys Admin that gets requests day and night that you have to answer by phone and memory? Can we have a URL rewrite for /password-reset?

why not create a short URL that you'll remember?

marcusquinn

@robi Why not have as I've suggested? This suggestion has a duplicate time cost and no benefit to any other CLoudron users.

It's considered feedback and a simple recommendation from trying to manage 50+ users of various computer literacy. The suggestion is good, and will help anyone else managing many variable Cloudron Users. No need for the debate time is starting to exceed the implementation time.

robi

@marcusquinn because it already exists