Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Password Reset should be an option for logged-in users too

Password Reset should be an option for logged-in users too

Scheduled Pinned Locked Moved Solved Feature Requests
24 Posts 7 Posters 5.7k Views 7 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • marcusquinnM Offline
    marcusquinnM Offline
    marcusquinn
    wrote on last edited by marcusquinn
    #1

    Often a user will forget or get confused over passwords.

    My current instructions are that they need to go to my.example.com, logout and then do a password reset.

    Be better if there was a link to trigger the reset email link from already still being logged in too.

    Web Design & Development: https://www.evergreen.je
    Technology & Apps: https://www.marcusquinn.com

    murgeroM 2 Replies Last reply
    1
    • marcusquinnM marcusquinn

      Often a user will forget or get confused over passwords.

      My current instructions are that they need to go to my.example.com, logout and then do a password reset.

      Be better if there was a link to trigger the reset email link from already still being logged in too.

      murgeroM Offline
      murgeroM Offline
      murgero
      App Dev
      wrote on last edited by
      #2

      @marcusquinn I just have my users use bitwarden lol IDK if a password reset link while logged in is a smart idea cause that allows anyone with access to their browser to just change the password.

      --
      https://urgero.org
      ~ Professional Nerd. Freelance Programmer. ~

      marcusquinnM 1 Reply Last reply
      1
      • girishG girish moved this topic from Support on
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #3

        You can also login in anonymous mode and get to password reset.

        marcusquinnM 1 Reply Last reply
        0
        • murgeroM murgero

          @marcusquinn I just have my users use bitwarden lol IDK if a password reset link while logged in is a smart idea cause that allows anyone with access to their browser to just change the password.

          marcusquinnM Offline
          marcusquinnM Offline
          marcusquinn
          wrote on last edited by
          #4

          @murgero Not really, they would need access to both a logged in browser and email.

          Web Design & Development: https://www.evergreen.je
          Technology & Apps: https://www.marcusquinn.com

          1 Reply Last reply
          0
          • girishG girish

            You can also login in anonymous mode and get to password reset.

            marcusquinnM Offline
            marcusquinnM Offline
            marcusquinn
            wrote on last edited by
            #5

            @girish Use case:

            User: Marcus, what's my Password?

            Marcus: IDK, try resetting it at my.example.com

            That's where the conversation should then end - yet it does not.

            I've presented the problem and the solution, the rest's up to you 😉

            Web Design & Development: https://www.evergreen.je
            Technology & Apps: https://www.marcusquinn.com

            girishG 1 Reply Last reply
            1
            • marcusquinnM marcusquinn

              @girish Use case:

              User: Marcus, what's my Password?

              Marcus: IDK, try resetting it at my.example.com

              That's where the conversation should then end - yet it does not.

              I've presented the problem and the solution, the rest's up to you 😉

              girishG Offline
              girishG Offline
              girish
              Staff
              wrote on last edited by
              #6

              @marcusquinn this is only an issue because the user is already logged in, correct? I can look into what other services do.

              1 Reply Last reply
              1
              • mehdiM Offline
                mehdiM Offline
                mehdi
                App Dev
                wrote on last edited by
                #7

                I don't know of any service that does this.

                When I am on the other side of this problem, as a user, what I usually do is just open a Icognito browser window and do the reset there.

                jdaviescoatesJ 1 Reply Last reply
                1
                • mehdiM mehdi

                  I don't know of any service that does this.

                  When I am on the other side of this problem, as a user, what I usually do is just open a Icognito browser window and do the reset there.

                  jdaviescoatesJ Offline
                  jdaviescoatesJ Offline
                  jdaviescoates
                  wrote on last edited by jdaviescoates
                  #8

                  @mehdi I think it's fairly standard to be able to edit one's password. Normally via something called Profile / Account / Settings or similar

                  e.g. WordPress

                  https://wordpress.org/support/article/resetting-your-password/

                  Same thing on cloudron.io 😏

                  Screenshot_20210828-212521.png

                  I use Cloudron with Gandi & Hetzner

                  1 Reply Last reply
                  1
                  • marcusquinnM marcusquinn

                    Often a user will forget or get confused over passwords.

                    My current instructions are that they need to go to my.example.com, logout and then do a password reset.

                    Be better if there was a link to trigger the reset email link from already still being logged in too.

                    murgeroM Offline
                    murgeroM Offline
                    murgero
                    App Dev
                    wrote on last edited by
                    #9

                    @marcusquinn Oh! As an admin - why not send them a password reset link? You can do this in 2 clicks under users.

                    --
                    https://urgero.org
                    ~ Professional Nerd. Freelance Programmer. ~

                    robiR 1 Reply Last reply
                    0
                    • murgeroM murgero

                      @marcusquinn Oh! As an admin - why not send them a password reset link? You can do this in 2 clicks under users.

                      robiR Offline
                      robiR Offline
                      robi
                      wrote on last edited by
                      #10

                      @murgero that requires admin intervention, they should be able to do that in a self-service fashion.

                      Conscious tech

                      nebulonN 1 Reply Last reply
                      1
                      • robiR robi

                        @murgero that requires admin intervention, they should be able to do that in a self-service fashion.

                        nebulonN Offline
                        nebulonN Offline
                        nebulon
                        Staff
                        wrote on last edited by
                        #11

                        I am not sure what this really is about, but a user can edit his/her password through the Cloudron dashboard, but of course like with other services at least I am aware of, you have to provide the old password when setting a new one through a login session.

                        Password resets are instead verified by the email with the reset link.

                        I also don't think it is correct to allow password change without some kind of additional verification means otherwise if a valid access token leaks for a user, anyone with that token can change the password.

                        jdaviescoatesJ 1 Reply Last reply
                        3
                        • nebulonN nebulon

                          I am not sure what this really is about, but a user can edit his/her password through the Cloudron dashboard, but of course like with other services at least I am aware of, you have to provide the old password when setting a new one through a login session.

                          Password resets are instead verified by the email with the reset link.

                          I also don't think it is correct to allow password change without some kind of additional verification means otherwise if a valid access token leaks for a user, anyone with that token can change the password.

                          jdaviescoatesJ Offline
                          jdaviescoatesJ Offline
                          jdaviescoates
                          wrote on last edited by jdaviescoates
                          #12

                          @nebulon I think the request is basically about adding an "email me a password reset link" button to the existing page where users can change their password (if they know their PW), right @marcusquinn ?

                          I use Cloudron with Gandi & Hetzner

                          marcusquinnM 1 Reply Last reply
                          1
                          • jdaviescoatesJ jdaviescoates

                            @nebulon I think the request is basically about adding an "email me a password reset link" button to the existing page where users can change their password (if they know their PW), right @marcusquinn ?

                            marcusquinnM Offline
                            marcusquinnM Offline
                            marcusquinn
                            wrote on last edited by marcusquinn
                            #13

                            @jdaviescoates Exactly that. There's no issue with security because it's no different to getting the link when logged out.

                            It is a usability issue, in that you have to first logout to trigger the email reset link.

                            It would also be good if it is always available on a memorable link too, like: https://my.example.com/password-reset as it's easy to then type out, in response to this question that seems to come up a couple of times a month among 60 users.

                            Web Design & Development: https://www.evergreen.je
                            Technology & Apps: https://www.marcusquinn.com

                            nebulonN 1 Reply Last reply
                            1
                            • marcusquinnM marcusquinn

                              @jdaviescoates Exactly that. There's no issue with security because it's no different to getting the link when logged out.

                              It is a usability issue, in that you have to first logout to trigger the email reset link.

                              It would also be good if it is always available on a memorable link too, like: https://my.example.com/password-reset as it's easy to then type out, in response to this question that seems to come up a couple of times a month among 60 users.

                              nebulonN Offline
                              nebulonN Offline
                              nebulon
                              Staff
                              wrote on last edited by
                              #14

                              @marcusquinn I see github and the likes also show a password reset link in the profile. We can do this as well, as it essentially just prefills the regular password reset form with the email address.

                              There are two blocking issues, we need to fix first though:

                              1. Currently in a login session you could just change the email address right there and then trigger the password reset (this is already a bit of an issue so we will fix this anyways to require the password on email change)
                              2. Fix the password reset page to allow prefilling and directly jump into that form unlike now from the login page.
                              marcusquinnM 1 Reply Last reply
                              2
                              • nebulonN nebulon

                                @marcusquinn I see github and the likes also show a password reset link in the profile. We can do this as well, as it essentially just prefills the regular password reset form with the email address.

                                There are two blocking issues, we need to fix first though:

                                1. Currently in a login session you could just change the email address right there and then trigger the password reset (this is already a bit of an issue so we will fix this anyways to require the password on email change)
                                2. Fix the password reset page to allow prefilling and directly jump into that form unlike now from the login page.
                                marcusquinnM Offline
                                marcusquinnM Offline
                                marcusquinn
                                wrote on last edited by
                                #15

                                @nebulon Sounds good - be happy with that!

                                Web Design & Development: https://www.evergreen.je
                                Technology & Apps: https://www.marcusquinn.com

                                nebulonN 1 Reply Last reply
                                0
                                • marcusquinnM marcusquinn

                                  @nebulon Sounds good - be happy with that!

                                  nebulonN Offline
                                  nebulonN Offline
                                  nebulon
                                  Staff
                                  wrote on last edited by
                                  #16

                                  @marcusquinn this has been implemented now and will be part of the next release.

                                  marcusquinnM 2 Replies Last reply
                                  2
                                  • nebulonN nebulon

                                    @marcusquinn this has been implemented now and will be part of the next release.

                                    marcusquinnM Offline
                                    marcusquinnM Offline
                                    marcusquinn
                                    wrote on last edited by
                                    #17

                                    @nebulon Magic - thank you kindly!

                                    Often I end up doing support over the phone or SMS without web access, so hoping this will make it easier to verbalise instructions without needing to copy/paste links.

                                    Web Design & Development: https://www.evergreen.je
                                    Technology & Apps: https://www.marcusquinn.com

                                    1 Reply Last reply
                                    2
                                    • nebulonN nebulon

                                      @marcusquinn this has been implemented now and will be part of the next release.

                                      marcusquinnM Offline
                                      marcusquinnM Offline
                                      marcusquinn
                                      wrote on last edited by
                                      #18

                                      @nebulon Can I get an ETA on this, and what the URL will be please? (ideally something memorable, like my.example.com/password-reset)

                                      Web Design & Development: https://www.evergreen.je
                                      Technology & Apps: https://www.marcusquinn.com

                                      nebulonN 1 Reply Last reply
                                      0
                                      • marcusquinnM marcusquinn

                                        @nebulon Can I get an ETA on this, and what the URL will be please? (ideally something memorable, like my.example.com/password-reset)

                                        nebulonN Offline
                                        nebulonN Offline
                                        nebulon
                                        Staff
                                        wrote on last edited by
                                        #19

                                        @marcusquinn So what has been implemented is a way to reset the password on behalf of the user as an admin. If I understand you correctly, then you also want a direct link for the user to reset the password on his/her own?

                                        This does already exist though: https://my.example.com/login.html?passwordReset
                                        Would that work for you?

                                        jdaviescoatesJ marcusquinnM 2 Replies Last reply
                                        2
                                        • nebulonN nebulon

                                          @marcusquinn So what has been implemented is a way to reset the password on behalf of the user as an admin. If I understand you correctly, then you also want a direct link for the user to reset the password on his/her own?

                                          This does already exist though: https://my.example.com/login.html?passwordReset
                                          Would that work for you?

                                          jdaviescoatesJ Offline
                                          jdaviescoatesJ Offline
                                          jdaviescoates
                                          wrote on last edited by
                                          #20

                                          @nebulon said in Password Reset should be an option for logged-in users too:

                                          @marcusquinn So what has been implemented is a way to reset the password on behalf of the user as an admin. If I understand you correctly, then you also want a direct link for the user to reset the password on his/her own?

                                          That was my understanding of what @marcusquinn wanted too - for already existing logged in users to be able to reset their own passwords...

                                          This does already exist though: https://my.example.com/login.html?passwordReset
                                          Would that work for you?

                                          Heh, I think that is exactly what @marcusquinn was after!

                                          That should be added to the docs somewhere!

                                          I use Cloudron with Gandi & Hetzner

                                          1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Bookmarks
                                          • Search