---
** [tickets:#6783] Create a process to reset forgotten passwords**
**Status:** open
**Labels:** 42cc auth
**Created:** Tue Oct 22, 2013 02:50 PM UTC by Dave Brondsema
**Last Updated:** Tue Oct 22, 2013 02:50 PM UTC
**Owner:** nobody
Allura should have a link on the login page for people who have forgotten their
username or password.
It should go to a form that asks them for their email address, and then if that
email address is verified in the system and and the user record isn't
disabled, send an email to them. The email should include their username and a
link to a reset page.
The reset page can use a secret hash url parameter to validate the user and let
them reset their password. The hash should be stored in the database when the
email was first sent. Also store the time that the email was sent, so that the
hash is only valid for a certain time period (configurable in ini). For the
password change form, lets re-use as much of the password change logic that
already exists for logged-in users. Refactor if needed.
Use `config['site_name']` on the html and email templates, so that the
experience is recognizable and comfortable for users.
Since auth is pluggable in Allura, this whole process needs to be optional.
Perhaps the simplest thing would be a new property on `AuthenticationProvider`
classes. Have it default to false, and the `LocalAuthenticationProvider` can
set the "forgot password reset" property to true.
---
Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed
to https://sourceforge.net/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a
mailing list, you can unsubscribe from the mailing list.
