On Tue, Mar 21, 2017 at 9:09 PM, Ayesha Dissanayaka <[email protected]> wrote:
> On Tue, Mar 21, 2017 at 1:34 AM, Omindu Rathnaweera <[email protected]> > wrote: > >> +1 for using HTML mail templates. But do we have to consider mail clients >> which doesn't support HTML ? If so, either the endpoint which accepts the >> confirmation code should work for both GETs and POSTs or we have to use >> a different approach to enter the confirmation code. Ex: a prompt to enter >> the code. >> > > I think we need to support both HTML based and non HTML based mail > clients. Also password reset page we should support both GET and POST to > cater this (email link and button submit). > > Also for non html emails, we can change the email template to send the > confirmation code in body or URL, depending on system preference. In that > case page returned from the given link should support both cases as below, > - if confirmation code comes in url as query parameter, validate it and > proceed to reset step. > - otherwise prompt input field for user to fill the confirmation code > that is sent in the email body, validate and proceed to reset step > +1 for this approach. But we'll have to use a shorter confirmation code (6 alphanumeric characters ?) rather than a UUID since a user should be able to enter it by hand. We can't always assume, the user will copy & paste the code. Since this is a relatively short string, we'll need to check for the uniques in the DB which is not the case with UUIDs. We should be able to use lang3's random alphanumeric generator [1]. > > On Tue, Mar 21, 2017 at 12:33 PM, Dinali Dabarera <[email protected]> wrote: > >> We are not going to lock the user since we use a random password when >> storing the user in DB and it will be over written by the user password >> update. > > Why do we need a password at all, can't we create a user without a > password? Is there any such restriction? > We can create a user without a password. But it might be possible to authenticate only with the user name since the account is unlocked. I haven't tested how the authentication behaves when the password is not there. > > Thanks! > -Ayesha > > -- > *Ayesha Dissanayaka* > Senior Software Engineer, > WSO2, Inc : http://wso2.com > <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg> > 20, Palm grove Avenue, Colombo 3 > E-Mail: [email protected] <[email protected]> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > [1] - http://commons.apache.org/proper/commons-lang/apidocs/org/apache/commons/lang3/RandomStringUtils.html#randomAlphanumeric-int- Regards, Omindu. -- Omindu Rathnaweera Software Engineer, WSO2 Inc. Mobile: +94 771 197 211 <+94%2077%20119%207211>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
