It is necessary when the user register automatically generate him a permanent password, which can be used. Then send it to the address indicated when registering mail
Emailing a user password after initial registration can be done, but by default Drupal makes this process hard since emailing passwords is a poor security practice. Instead Drupal emails a password reset link that allows the user to login and change the password just after registration.
That said, you could override that behavior by creating a custom module that implements hook_entity_presave(), changes the password and triggers an email before the new user entity is saved.
Related
I am implementing Django Password Reset to send a recovery password link when the user type his/her email id using django.contrib.auth.urls, which works as perfectly.
This is from Django Documentation,
If the email address provided does not exist in the system, the user is inactive, or has an unusable password, the user will still be redirected to this view but no email will be sent.
My question is,
If I add something like EmailValidation to check if the user typed email exists in the database or not and raise ValidationError, will that be a security problem?
Obviously, because it will allow a hacker to run brute force to guess emails. And if the password strength of the user is not strong enough, he might use brute force or guesses to forceful login(if there is no other security methods). I would suggest to put a captcha on reset page as well, to prevent the bots in reset password page.
In case the user forgot the password, how can I send him a reset link?
Django's PasswordChangeView, requests the old password, not resetting password.
The PasswordChangeView indeed asks for the old password, since this is the case where a user wants to change the password manually, and then we want to avoid the overhead of a user having to inspect their email, etc. It is however better to ask for the old password, since it could happen that a user has logged in, and now somebody else with (physical) access to their computer want to change the credentials to "take over" the account.
Another related view is the PasswordResetView this will email the user a link to a one-time URL where the user can set a new password. This is still - to some extent - secure since we typically assume the user is the only one with access to their email.
While creating user in userpool, user invitation messages are sent with a temporary password but email verification messages is not being sent.
I was creating a very simple setup to try out aws cognito service.
Here is what I did in AWS cognito, I created a user pool with step by step as follows:
1)What do you want to name your user pool?
-> testpool
2)How do you want to create your user pool?
-> step through settings
3)How do you want your end users to sign in?
->Email address or phone number-Allow email addresses
4)What password strength do you want to require?
->Minimum length=6
5)Do you want to allow users to sign themselves up?
->Allow users to sign themselves up
6)How quickly should user accounts created by administrators expire if not used?
->Days to expire-7
7)Do you want to enable Multi-Factor Authentication (MFA)?
->off
8)Do you want to require verification of emails or phone numbers?
->Email
9)You must provide a role to allow Amazon Cognito to send SMS messages
->testpool-SMS-Role
10)Do you want to customize your email verification messages?
->Verification type-link
->Email subject = Your verification link
->Email message = Please click the link below to verify your email address. {##Verify Email##}
11)Do you want to customize your user invitation messages?
->SMS message = Your username is {username} and temporary password is ->{####}.
->Email subject = Your temporary password
->Email message = Your username is {username} and temporary password is {####}.
12)Do you want to customize your email address?
->no
13)Do you want to add tags for this user pool?
->no
14)Do you want to remember your user's devices?
->no
15)Which app clients will have access to this user pool?
->none(will simulate from create user option in genral setting-user and group)
16)Do you want to customize workflows with triggers?
->no
17)Review page - this page shows summary of whatever I selected
Create pool
Now after pool creation went ot genral setting-user and group and clicked create user
A Create user pop-up shows:
Username (Required): myEmailAddress
Send an invitation to this new user?: check
Temporary password: left blank
Phone Number: empty(not required)
Mark phone number as verified? unCheck
Email: myEmailAddress
Mark email as verified? unCheck
Click on Create User
A mail is received into my account form no-reply#verificationemail.com via amazonses.com,with subject: Your temporary password with message as: Your username is somemailid#gmail.com and temporary password is agsjyk.
This is okay.
But I didnot receive any verification mail link before previous mail.
Not sure if you're missing this particular setup....Domain name is require for link verification.
Under "Tab integration" then "Domain name"
A mail is received into my account form no-reply#verificationemail.com via
amazonses.com,
with subject: Your temporary password
with message as: Your username is somemailid#gmail.com and temporary password is > agsjyk.
Looking at this it seems you are creating the user via the Cognito API by the AdminCreateUser method, and that's why you are receiving a temporary password.
The confirmation email you are expecting will only be sent if the user registers itself, so you should use the SignUp method.
verification mail link is for when users sign themselves up, they will receive a link to ask them to verify the email address instead of a code. In your case, you are send a temporary password to the user, so the link wont show up.
You need to add a domain in this section of the Incognito Service:
Also, if you are not getting the email, click on the user, and check their email, it could be wrong.
If anyone else is facing this issue, it appears that you cannot send verification emails if you use SAML or a federated identity provider. Cognito sets the cognito user to EXTERNAL_PROVIDER and no Cognito API calls allow sending a verifcation code or link. The cognito user is automatically created on initial sign-in. I have my user pool set to validate email address but it is always set to false.
The only way that I know to confirm the user via SSO is to use an external verification process outside of cognito.
With Cognito, if you have added both email and phone number then you should allow both as verification methods(In the SignUp experience Tab) as below:
Otherwise the email verification link or code is not sent
I'm using the flask-login library, and I haven't been able to find any good tutorials or documentation on how to go about allowing a user to reset their password through an email. What direction/resources can I look at on how to do this? A thorough google search didn't reveal anything useful.
Base logic:
Create reset password form with email field.
When user submit form then you should:
check this email in database
generate undistinguished crypto random secret key (next just secret key)
store this key, current timestamp and user identifier to cache or database
send it to user email or sms
When user apply secret key (for example with url or special form) you should:
validate it (exist, not expired, not used before)
get user identifier
delete or mark as used current secret key
provide logic to enter/generate new password.
Logic to enter/generate password can be different:
login user and show form to enter new password - one time login key
show form to enter password than login if valid
generate new password and send it to user email
generate new secret key for form to enter new password and send it to user email
generate new secret key to approve form, send it via sms, show form to enter new password and approval secret key then login if valid
flask-login doesn't take care of reset password emails and other such things. Its just there to manage sessions and cookies.
You should use Flask-Security which adds password reset functionality and other common security related features to flask. Flask-Security uses flask-login to handle sessions, but adds other features on top to round out the security features:
Email Confirmation
If desired you can require that new users confirm their email address.
Flask-Security will send an email message to any new users with an
confirmation link. Upon navigating to the confirmation link, the user
will be automatically logged in. There is also view for resending a
confirmation link to a given email if the user happens to try to use
an expired token or has lost the previous email. Confirmation links
can be configured to expire after a specified amount of time.
Password Reset/Recovery
Password reset and recovery is available for when a user forgets his
or her password. Flask-Security sends an email to the user with a link
to a view which they can reset their password. Once the password is
reset they are automatically logged in and can use the new password
from then on. Password reset links can be configured to expire after a
specified amount of time.
User Registration
Flask-Security comes packaged with a basic user registration view.
This view is very simple and new users need only supply an email
address and their password. This view can be overrided[sic] if your
registration process requires more fields.
Flask-Login only provides user session management for Flask. It handles the common tasks of logging in, logging out, and remembering your users’ sessions over extended periods of time. but not reset password, change password, email confirmation etc.
Flask-security was the best and easy option to do these. It pretty much handles everything. but it is not actively maintained.
Note
This project is non maintained anymore. Consider the
Flask-Security-Too project as an alternative. -- From flask-security
Github repo
So i recommend Flask-Security-Too library which is improved version and actively maintained. It also has much more features like 2FA Auth, Unified Sign-In etc
You can install install it using pip
pip install flask-security-too flask-sqlalchemy
and import libraries like
from flask-security import current_user, login_required
There are some complete (but simple) examples available in the examples directory of the Flask-Security repo.
Documentation : https://flask-security-too.readthedocs.io/en/stable/index.html
If a user is already logged in and clicks on a password reset link from their email, they automatically get redirected to the logged in area. I want the user to be able to reset their password, logged in or not. How do I prevent the redirect?
What you are trying to do is, use Devise recoverable module to change a logged in user password. This is not what recoverable module was built for.
As per carlosantoniodasilva, a Collaborator of Devise
This feature is for recovering passwords, not for signed in users
change their passwords. If you want that, you can use Registerable
module or handle it by yourself.
Registerable module handles signing up users through a registration process, also allowing them to edit and destroy their account.