Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password reset #12

Open
zorbathut opened this issue Jun 24, 2020 · 3 comments
Open

Password reset #12

zorbathut opened this issue Jun 24, 2020 · 3 comments
Labels
enhancement New feature or request

Comments

@zorbathut
Copy link
Contributor

It's unclear if password reset exists. If it doesn't, we definitely need it; if it does, it needs to be more visible.
@zorbathut zorbathut added the enhancement New feature or request label Jun 24, 2020
@Deimos
Copy link
Contributor

Deimos commented Jun 30, 2020

I do password resets "manually", the site just tells people to email [email protected] if they can't log in. I have a little function for it that I run through a shell - you can open one with pshell production.ini (or pshell development.ini on the dev version):

def reset_password(username: str) -> None:
    """Reset the password for a user, including verifying email."""
    import random
    import string
    from tildes.lib.hash import is_match_for_hash
    from tildes.models.user import User

    user = request.query(User).filter_by(username=username).one_or_none()
    if not user:
        print("User not found")
        return

    if not user.email_address_hash:
        print("No recovery email address")
        return

    email = input("User has recovery email, enter address: ")
    email = email.strip().lower()

    if not is_match_for_hash(email, user.email_address_hash):
        print("Incorrect email address")
        return

    # create a random password
    password_alphabet = string.ascii_uppercase + string.ascii_lowercase + string.digits
    new_password = "".join(random.choices(password_alphabet, k=8))

    user.password = new_password
    request.db_session.add(user)
    request.tm.commit()

    print(f'Password set to "{new_password}"')

It requires people having set a recovery email address on the account, I'm not sure if you have a different plan for how to verify account ownership. If you do want to use email and don't want to handle them manually it will probably be a larger project since you'll have to integrate an email-sending service of some sort.

@zorbathut
Copy link
Contributor Author

Aha, handy code :)

I definitely don't want to be doing this manually forever, but yeah, the email-sending service is going to be a bit of a pain. Assuming you would also like to stop doing it manually, any service you'd prefer if we were to build something with the intention of upstreaming it?

@Deimos
Copy link
Contributor

Deimos commented Jun 30, 2020

I would probably use Postmark if I ever integrate email for this or anything else: https://postmarkapp.com/

Right now there's usually only one reset every week or two though and it only takes a minute to deal with, so it's easy enough to just do them manually as needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Deimos @zorbathut