Can we talk about this feature? Please

JoelBonetR 🥇 - Aug 15 '22 - - Dev Community

Explicitly about the "forgot password" thingy.

This little issue that appears in every single project where users can register themselves that says "Implement the forgot password feature" 😅

It's so common than most of the time people even doesn't split the issue. But should we?

Well, let's check the nuances on that.

workaround

  1. Show a message with a "forgot password?" link/button whenever the user fails to log in.
  2. Ask the server to send the "forgot password email".
  3. Catch the request on the server.
  4. Generate a token on the fly
  5. Generate a Link that includes this token
  6. Inject this link into an email template
  7. Send the email with the template
  8. When the link is clicked, we need to validate the token
  9. If it's expired, redirect to the login, showing the "forgot password?" link/button again along with a message that says "The link is expired, please try again".
  10. If it's OK, redirect the user to a view.
  11. This view has -usually- two fields. New password and Repeat password.
  12. Check that each individual password field is aligned with the required pattern (min. 8 chars, 1 uppercase, 1 lowercase, 1 special char...) and that both are equal.
  13. On submit, check the token again. Why? well, it can expire in the meantime, if this happen, return to point 9.
  14. If the token is OK, update the password for this user.
  15. Redirect to the login view with a message that says "your password has been updated successfully"

Munching the workaround

We can send another email once the password has been changed, that typical "Your password has been changed, if it wasn't you please, call the police, the SWAT, the marines and send us a ticket, your entire family may surrender to hackers".

Yet another thing is to handle 2FA if it's implemented in your app. You may want your users to have the chance to use it to make this process easier -for them- but as the 2FA is not something mandatory, you still need to do the rest while providing this other workaround😁


Answering the question I think we all can agree on that being a big YES, splitting the "forgot password" issue is a must (Just in case I mean Github, Gitlab, Jira... any issue tracker).

We need definition for email templates and nuances on some of those points and splitting all this overheat into smaller chunks also reduces the procrastination.

The Problem

This entire thingy is something that I usually procrastinate or delegate. The reason why is because IT IS BORING to develop (at least to me).

It is so boring that I coded a calculator and an NPM package just to avoid coding that forgot password thingy the last time I had to.

And I had to code it again this week. Glad this time I split myself that bunch into several smaller issues, otherwise this post would probably be like "Mom, look what I've done" talking about whatever crazy BS I could have come up with.


I'm still wondering why in the seven seas frameworks don't implement -yet- a nice friendly way to deal with that. I mean like... call this function with a config object as param and WOOSH points 5 to 10 automated!

I'm even thinking on create a npm lib if nothing exists just to spend like 80h trying to automate something worth a morning and making it as dynamic as possible to fit as much projects as possible.


Do you know any tool to help hundreds? If nothing exists, would you like to collaborate to bring something new?

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .