Forgotten Password Logon

[kklosson]

I would like to implement a forgotten password process. From the user's guide, it appears there is no way to test this feature in testing mode. Do I read it correctly? If so, how does one test this feature?

[tford]

Didn't realize you can't do it in test mode, but it's really pretty simple to implement. If you want to be really cautious, I guess you could set up a sample BSV and publish it.

[kklosson]

Have you implemented it? If so, can you describe your general approach?

[customaware]

I did it a while ago Kingsley and I am not near computer but pretty sure I followed the steps in the HowTo guide.
One convenient change now though is that you can use GEN_PWD to generate a random password which is much easier that trying to make one up yourself.

Let me know if you run into strife and will step it out when I get to a keyboard

[kklosson]

I guess I can get through this but I have to do some work in the blind I guess.

[tford]

1) On the login page, I have text "Forgot your password? - click here to reset your password via email"

linked to: http://awareim.yourcompany.com:8080/Awa ... in=savname

2) that link runs the process that has this box checked on the first page of the process screen in the config tool: "Handles 'forgotten password' functionality

3) four steps in my process:

a) DISPLAY URL 'http://www.CompanyName.com/Login' IN MAIN WINDOW (this redirects to display the AwareIM login screen to this BSV in case the user cancels)

b) ENTER NEW ForgottenPasswordRequest WITH ForgottenPasswordRequest.WhenRequested=CURRENT_TIMESTAMP USING Main

updates login.jpg (43.37 KiB) Viewed 21391 times

c) FIND User_Editor WHERE User_Editor.EmailAddress=ForgottenPasswordRequest.Email (Finds the user's email address)

d) If SEARCH_COUNT=0 Then
DISPLAY MESSAGE 'Email address was not found in the Updates system'
SEND OutgoingEmail_ResetPassword_NOT_FOUND
ForgottenPasswordRequest.UserFoundYN='No'
ELSE User_Editor.Password_Temp=CHARS_FROM_LEFT(User_Editor.EmailAddress,2)+AS_STRING(ROUND(RANDOM()*100000,0))+CHARS_FROM_RIGHT(User_Editor.EmailAddress,2)
User_Editor.Password=User_Editor.Password_Temp
User_Editor.Password_Reset_NeededYN='Yes'
ForgottenPasswordRequest.UserFoundYN='Yes'
SEND OutgoingEmail_ResetPassword
DISPLAY MESSAGE 'Temporary password was emailed to '+User_Editor.EmailAddress


As Mark mentioned, the new function will simplify Step 3 d.

[customaware]

Tom.....

Good post.

Much easier to use the new GEN_PWD function to generate a password now.

[Jaymer]

FOR A MULTI-TENANT APP
Since you can't pass anything in using LogonFP, only the domain (ie. Business Space), how are you supposed to know which tenant the request is for?

If SEARCH COUNT > 0 (hopefully only 1) THEN that user rec will identify the tenant.
But if you didn't find a match, how will you know who to send the "not found" msg to?
And this would force emails to be unique across all Tenants, which means a user couldn't be signed up in more than one Tenant application.

any ideas Tom?

[tford]

Good question Jaymer.

I don't have any multi-tenant apps and can't think of how you would solve it.

[customaware]

I am not sure I totally understand the question Jaymer... BUT...

It would depend on whether you SaaS app was structured as a Single Business Space (SBS) or Multi Business Space (MBS)

If SBS then then logons are unique so if they know their login name then it will know which Tenant.
If MBS then "usually" the tenants would be differentiated by a sub-domain so even at the forgotten password dialog you will know which Tenant.

[Jaymer]

Its definitely a SBS - don't want to deal with lots of replicated BSs.

Mark, TRUE, if they enter an email, then once its found you know the tenant.
But like I said, "And this would force emails to be unique across all Tenants, which means a user couldn't be signed up in more than one Tenant application." ... using the same email. If someone had to be in more than one, then just add a suffix to the ID.

But, the issue was when its not found.
To follow Tom's example, he was sending an email to someone when SEARCH_COUNT=0.
I'm not sure who you'd want to alert in that case - you can't identify the user, so I was thinking an admin of some kind... but without seeing the setup of the notification, I'm not sure whats hardcoded (or determined) in that setup.

Since I'm logging a failure, I'm not sure I really need to notify anyone anyway.

[JonP]

I considered allowing multiple tenants per user at one point because some of my users could be contractors for multiple tenants. You would need a many-to-many BO in between the user BO and tenant BO. But then I worried that the corner cases could be the death of me (especially with regard to permissions) and chickened-out.

[Jaymer]

I got this all worked out... for multi-tenant.
only requirement is unique emails for all users, even across tenants.

I ended up NOT storing the generated password into the user file (overwriting the forgotten pw) and don't need the ResetNeededYN flag.

I'm using the logonFp.aw hook, and sending them an email with a link to get back in that then asks them for new PW. Works great.