Forgotten Password Logon
Forgotten Password Logon
I would like to implement a forgotten password process. From the user's guide, it appears there is no way to test this feature in testing mode. Do I read it correctly? If so, how does one test this feature?
V8.8
MySQL, AWS EC2, S3
PDFtk Toolkit
MySQL, AWS EC2, S3
PDFtk Toolkit
Re: Forgotten Password Logon
Didn't realize you can't do it in test mode, but it's really pretty simple to implement. If you want to be really cautious, I guess you could set up a sample BSV and publish it.
Tom - V8.8 build 3137 - MySql / PostGres
Re: Forgotten Password Logon
Have you implemented it? If so, can you describe your general approach?
V8.8
MySQL, AWS EC2, S3
PDFtk Toolkit
MySQL, AWS EC2, S3
PDFtk Toolkit
-
- Posts: 2405
- Joined: Mon Jul 02, 2012 12:24 am
- Location: Ulaanbaatar, Mongolia
Re: Forgotten Password Logon
I did it a while ago Kingsley and I am not near computer but pretty sure I followed the steps in the HowTo guide.
One convenient change now though is that you can use GEN_PWD to generate a random password which is much easier that trying to make one up yourself.
Let me know if you run into strife and will step it out when I get to a keyboard
One convenient change now though is that you can use GEN_PWD to generate a random password which is much easier that trying to make one up yourself.
Let me know if you run into strife and will step it out when I get to a keyboard
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Re: Forgotten Password Logon
I guess I can get through this but I have to do some work in the blind I guess.
V8.8
MySQL, AWS EC2, S3
PDFtk Toolkit
MySQL, AWS EC2, S3
PDFtk Toolkit
Re: Forgotten Password Logon
1) On the login page, I have text "Forgot your password? - click here to reset your password via email"
linked to: http://awareim.yourcompany.com:8080/Awa ... in=savname
2) that link runs the process that has this box checked on the first page of the process screen in the config tool: "Handles 'forgotten password' functionality
3) four steps in my process:
a) DISPLAY URL 'http://www.CompanyName.com/Login' IN MAIN WINDOW (this redirects to display the AwareIM login screen to this BSV in case the user cancels)
b) ENTER NEW ForgottenPasswordRequest WITH ForgottenPasswordRequest.WhenRequested=CURRENT_TIMESTAMP USING Main
c) FIND User_Editor WHERE User_Editor.EmailAddress=ForgottenPasswordRequest.Email (Finds the user's email address)
d) If SEARCH_COUNT=0 Then
DISPLAY MESSAGE 'Email address was not found in the Updates system'
SEND OutgoingEmail_ResetPassword_NOT_FOUND
ForgottenPasswordRequest.UserFoundYN='No'
ELSE User_Editor.Password_Temp=CHARS_FROM_LEFT(User_Editor.EmailAddress,2)+AS_STRING(ROUND(RANDOM()*100000,0))+CHARS_FROM_RIGHT(User_Editor.EmailAddress,2)
User_Editor.Password=User_Editor.Password_Temp
User_Editor.Password_Reset_NeededYN='Yes'
ForgottenPasswordRequest.UserFoundYN='Yes'
SEND OutgoingEmail_ResetPassword
DISPLAY MESSAGE 'Temporary password was emailed to '+User_Editor.EmailAddress
As Mark mentioned, the new function will simplify Step 3 d.
linked to: http://awareim.yourcompany.com:8080/Awa ... in=savname
2) that link runs the process that has this box checked on the first page of the process screen in the config tool: "Handles 'forgotten password' functionality
3) four steps in my process:
a) DISPLAY URL 'http://www.CompanyName.com/Login' IN MAIN WINDOW (this redirects to display the AwareIM login screen to this BSV in case the user cancels)
b) ENTER NEW ForgottenPasswordRequest WITH ForgottenPasswordRequest.WhenRequested=CURRENT_TIMESTAMP USING Main
c) FIND User_Editor WHERE User_Editor.EmailAddress=ForgottenPasswordRequest.Email (Finds the user's email address)
d) If SEARCH_COUNT=0 Then
DISPLAY MESSAGE 'Email address was not found in the Updates system'
SEND OutgoingEmail_ResetPassword_NOT_FOUND
ForgottenPasswordRequest.UserFoundYN='No'
ELSE User_Editor.Password_Temp=CHARS_FROM_LEFT(User_Editor.EmailAddress,2)+AS_STRING(ROUND(RANDOM()*100000,0))+CHARS_FROM_RIGHT(User_Editor.EmailAddress,2)
User_Editor.Password=User_Editor.Password_Temp
User_Editor.Password_Reset_NeededYN='Yes'
ForgottenPasswordRequest.UserFoundYN='Yes'
SEND OutgoingEmail_ResetPassword
DISPLAY MESSAGE 'Temporary password was emailed to '+User_Editor.EmailAddress
As Mark mentioned, the new function will simplify Step 3 d.
Tom - V8.8 build 3137 - MySql / PostGres
-
- Posts: 2405
- Joined: Mon Jul 02, 2012 12:24 am
- Location: Ulaanbaatar, Mongolia
Re: Forgotten Password Logon
Tom.....
Good post.
Much easier to use the new GEN_PWD function to generate a password now.
Good post.
Much easier to use the new GEN_PWD function to generate a password now.
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Re: Forgotten PW Logon for MULTI-TENANT
FOR A MULTI-TENANT APP
Since you can't pass anything in using LogonFP, only the domain (ie. Business Space), how are you supposed to know which tenant the request is for?
If SEARCH COUNT > 0 (hopefully only 1) THEN that user rec will identify the tenant.
But if you didn't find a match, how will you know who to send the "not found" msg to?
And this would force emails to be unique across all Tenants, which means a user couldn't be signed up in more than one Tenant application.
any ideas Tom?
Since you can't pass anything in using LogonFP, only the domain (ie. Business Space), how are you supposed to know which tenant the request is for?
If SEARCH COUNT > 0 (hopefully only 1) THEN that user rec will identify the tenant.
But if you didn't find a match, how will you know who to send the "not found" msg to?
And this would force emails to be unique across all Tenants, which means a user couldn't be signed up in more than one Tenant application.
any ideas Tom?
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: Forgotten Password Logon
Good question Jaymer.
I don't have any multi-tenant apps and can't think of how you would solve it.
I don't have any multi-tenant apps and can't think of how you would solve it.
Tom - V8.8 build 3137 - MySql / PostGres
-
- Posts: 2405
- Joined: Mon Jul 02, 2012 12:24 am
- Location: Ulaanbaatar, Mongolia
Re: Forgotten Password Logon
I am not sure I totally understand the question Jaymer... BUT...
It would depend on whether you SaaS app was structured as a Single Business Space (SBS) or Multi Business Space (MBS)
If SBS then then logons are unique so if they know their login name then it will know which Tenant.
If MBS then "usually" the tenants would be differentiated by a sub-domain so even at the forgotten password dialog you will know which Tenant.
It would depend on whether you SaaS app was structured as a Single Business Space (SBS) or Multi Business Space (MBS)
If SBS then then logons are unique so if they know their login name then it will know which Tenant.
If MBS then "usually" the tenants would be differentiated by a sub-domain so even at the forgotten password dialog you will know which Tenant.
Cheers,
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Mark
_________________
AwareIM 6.0, 8.7, 8.8, 9.0 , MariaDB, Windows 10, Ubuntu Linux. Theme: Default, Browser: Arc
Upcloud, Obsidian....
Re: Forgotten Password Logon
Its definitely a SBS - don't want to deal with lots of replicated BSs.
Mark, TRUE, if they enter an email, then once its found you know the tenant.
But like I said, "And this would force emails to be unique across all Tenants, which means a user couldn't be signed up in more than one Tenant application." ... using the same email. If someone had to be in more than one, then just add a suffix to the ID.
But, the issue was when its not found.
To follow Tom's example, he was sending an email to someone when SEARCH_COUNT=0.
I'm not sure who you'd want to alert in that case - you can't identify the user, so I was thinking an admin of some kind... but without seeing the setup of the notification, I'm not sure whats hardcoded (or determined) in that setup.
Since I'm logging a failure, I'm not sure I really need to notify anyone anyway.
Mark, TRUE, if they enter an email, then once its found you know the tenant.
But like I said, "And this would force emails to be unique across all Tenants, which means a user couldn't be signed up in more than one Tenant application." ... using the same email. If someone had to be in more than one, then just add a suffix to the ID.
But, the issue was when its not found.
To follow Tom's example, he was sending an email to someone when SEARCH_COUNT=0.
I'm not sure who you'd want to alert in that case - you can't identify the user, so I was thinking an admin of some kind... but without seeing the setup of the notification, I'm not sure whats hardcoded (or determined) in that setup.
Since I'm logging a failure, I'm not sure I really need to notify anyone anyway.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: Forgotten Password Logon
I considered allowing multiple tenants per user at one point because some of my users could be contractors for multiple tenants. You would need a many-to-many BO in between the user BO and tenant BO. But then I worried that the corner cases could be the death of me (especially with regard to permissions) and chickened-out.
v8.1 on Windows 10 / MySQL 5.6 (local), v8.1 on Windows Server 2016 / MySQL 5.6 (server)
Re: Forgotten Password Logon
I got this all worked out... for multi-tenant.
only requirement is unique emails for all users, even across tenants.
I ended up NOT storing the generated password into the user file (overwriting the forgotten pw) and don't need the ResetNeededYN flag.
I'm using the logonFp.aw hook, and sending them an email with a link to get back in that then asks them for new PW. Works great.
only requirement is unique emails for all users, even across tenants.
I ended up NOT storing the generated password into the user file (overwriting the forgotten pw) and don't need the ResetNeededYN flag.
I'm using the logonFp.aw hook, and sending them an email with a link to get back in that then asks them for new PW. Works great.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL