New process to create users and password recovery

Owned by Onesait Platform
Last updated: 28/09/22
4 min read

Taking advantage of the Platform PenTesting that the Cyber ​​​​team is doing, and of an improvement proposal, a new mechanism has been implemented for the creation of users from the self-registration (sign-up), as well as for the password recovery in case of forgetting, and communication of password modification for a user from the control panel or from the management APIs, preventing the transmission of passwords via email.

https://gitlab.devops.onesait.com/onesait/platform/engine/onesait-platform/onesait-cloud-platform/-/issues/1909

 

Self-registration (Sign-up)

The user registration form has been updated so that it is not necessary to register the password, but instead it will be provided by the user when validating her email:

This does not register the user yet, but it generates an email to the provided email address, with a link where the registration process will be completed.

The user will receive an email like this one, indicating the url where the registration process can be completed, as well as a warning saying thatm if the process is not completed within a given time (configurable by installation), the link will disappear, along with the previously-provided information.

Once the registration is complete, the user is returned to the login screen, so that she can authenticate herself if desired.

 

Password recovery

Previously, the password was sent by email directly. Now a password recovery flow is launched:

A registered user enters her email for recovery:

And the user is returned to the login page, prompting her to check her email:

The email will include the link to enter the new password, as well as the maximum time to complete the process, after which the link will no longer be available.

The link redirects to a new form to add the new password:

After which the user is returned to the login page.

Reset or change of password by an Administrator from the control panel

There are two other points from which an administrator user can change another user's password

  • From the list of users:

  • From the user edition page:

In the first case, a random password is generated and it is mandatory to modify it within a configurable time or the user will be blocked. In the second case, there is no need to modify it.

Previously, an email was sent with the new password, either modified or generated. With the new mechanism, in both cases an email is sent with a link to a screen where the new password can be consulted. After a configurable time, the link is no longer available:

Following the link, you get to the password screen:

Password management from REST APIs

  • Users creation:

In the APIs, user registration does not apply, since users are allowed to create users, but with a Bearer token that allows this to be done. So, really, whoever uses this functionality is already authenticated on the platform and has the appropriate permissions.

  • Password reset:

Currently it is done by sending an email with the password. This functionality has been deprecated, so that it remains backward-compatible with applications that currently use this method, but bear in mind that it will disappear in the future:

A new function has been added:

which sends the same email as when done via the login page, and requires confirmation from the user by entering the new password by going to the same form.