What is the best way to reset password only with token?
Now it mades with token and email, I want to get an email by checking tocket in reminders table.
Thanks!
Update
Resolved this by:
$email = DB::table(Config::get('auth.reminder.table'))->where('token', $token)->pluck('email');
Here's how I do password resets.
User clicks Forgot Password link and is taken to a form with one field for email.
They enter their registered email address and I check the email exists in the DB. If it does, I store a random reset code for that user using Str::random(60). I then save the user and email them a link with a reset code (eg. http://domain.com/reset/CODE).
User clicks the link and is taken to the URL above which checks the CODE. If the CODE exists in the DB, the password for the matching user is reset to something random using Str::random(10) and this new password is mailed to the user.
Not sure if this is right/wrong, but it works for me.
Related
I want to parameterise the login feature file so that is can be used for multiple user credentials. Can anyone please help me here? Below is the code that I am using:
Given url baseUrl
And form field username = 'admin'
And form field password = 'admin'
When method GET
Then status 200
I want to parameterise the value for username and password so that it can be passed from another feature file and can be reused again.
I have my Ldap working the only issue i'm facing was when I try to login with email that is when I land in the else part in the below code. If my username is different from email then it throws error. i.e if my email is 'skumar#gmail.com' and my username is 'saurakumar' then it will through invalid username password error.
As internally I'm using username to make email i.e if the user login with name 'karan' then i'm expecting the email to be karan #gmail.com which is not true in many scenario and the Authentication fails. I'm looking for some solution wherein I can login either via email or via username I'll be able to authenticate user. Below is the snippet of my code. Please suggest?
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, initialContextFactory);
ldapEnv.put(Context.PROVIDER_URL, url);
ldapEnv.remove(Context.SECURITY_PROTOCOL);
if (email == null) {
lContext = new InitialLdapContext(ldapEnv, null);
entryResult = searchUserEntry(lContext, user, searchCtrls);
final String usrDN = ((Context) entryResult.getObject()).getNameInNamespace();
lContext.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple");
lContext.addToEnvironment(Context.SECURITY_PRINCIPAL, usrDN);
lContext.addToEnvironment(Context.SECURITY_CREDENTIALS, pass);
lContext.reconnect(null);
} else {
ldapEnv.put(Context.SECURITY_PRINCIPAL, email);
ldapEnv.put(Context.SECURITY_CREDENTIALS, credentials);
lContext = new InitialLdapContext(ldapEnv, null);
return lContext;
searchUserEntry(lContext, user, searchCtrls);
}
Normally this is a 3-step process:
Bind to LDAP as an administrative user. Note that this should not be the master user defined in the configuration file: that's for OpenLDAP's use itself. Instead it should be a user mentioned in the DIT that has the appropriate search access for the next step.
Search for the user via some unique attribute, e.g. in your case email.
Using the found DN of the user and the password he specified, attempt to bind as that user (with the reconnect() method, after changing the environment of the context appropriately).
If all that succeeds, you have a login success. If (2) or (3) fail, you have a failure, and note that you should not tell the user which it was: otherwise you are leaking information to attackers. You should not mention whether it was the username (email) or the password that was wrong.
I am working on ATG11.2 , my requirement is as below:
User will click on forgot password button, a link with encoded user id and a temporary password will be sent to email. User will click on the link sent in email and will be redirected to ResetPassword.jsp where he will get an option to fill temporary password which is sent in email, new password and confirm password respectively
I am using ForgotPasswordHandler for this implementation. I have read that forgotpasswordhandler method replaces the password property with the new generated password. Therefore m storing the input box value of temporary password in ProfileFormHandler.value.oldpassword
The values are as below:
Temporary Password :
New Password:
ConfirmPassword
But , when I am debugging handleChangePassword method in ProfileForm it is not able to compare the passwords properly. Please suggest if my approach is correct , or what do I need to override in gmethod if any required.
ATG stores passwords in encrypted format.
You need to store your oldPassword in encrypted format too. The passwords will not be equal unless both the passwords are hashed and are same.
I have been trying to get this GetVerifiedStatus API to work but it just doesn't work.
I have tried using a valid email address on
http://www.dev-tool.com/pptester/NVP/CallType.aspx?ServiceID=51&CallTypeID=53
As well as directly and through curl but they all give error of 'Api credentials are incorrect'.
Does anyone know how to do it?
Then I have another question, paypal says that GetVerifiedStatus API takes in email,first name and last name. (as mentioned in )
However there is this guy who says that he verified using email, password and signature successfully... anybody has any idea where do password and signature comes in it from?
Thanks
The link you're referring to is talking about an API username, password and signature.
To use GetVerifiedStatus, you must send email, firstName, lastName and matchCriteria.
See also page 63 of https://www.paypal-biz.com/development/documentation/PP_AdaptiveAccounts.pdf
To use GetVerifiedStatus.php here is what you have to do:
Create an account paypal sandboc
Create a preconfigured account
Click on API and Payment Card Credentials to view your account credentials
Update the following code with the credentials you got from step 3
//PayPal API Credentials
$API_UserName = "sbapi_1287090601_biz_api1.paypal.com"; //TODO
$API_Password = "1287090610"; //TODO
$API_Signature = "ANFgtzcGWolmjcm5vfrf07xVQ6B9AsoDvVryVxEQqezY85hChCfdBMvY"; //TODO
//PAYPAL SANDBOX LOGIN EMAIL
$API_SANDBOX_EMAIL_ADDRESS = "rishaque#paypal.com"; <<<<< THIS IS YOUR LOGIN EMAIL ADDRESS
I hope this help.
By default, devise uses an email address for sign up and sign in.
But I want that the email address should be allowed to be changed by the user.
If I allow the user to edit the email address, and the user specifies an "incorrect" (i.e. a typo by mistake) email address and then user signs out, and the user also forgets what the typo'ed email was, now the user account is inaccessible by the user!
How to best work around this? (except for creating a separate, unchangeable username field that will always allow user to login)
You can force the user to confirm his account again if he changes his email.
Once, you updated the password of the concerned user, you need to un-confirm the user, and then re-send the confirmation email.
To unconfirm the user :
user = User.find(1)
if user.confirmed?
user.confirmed_at = nil
user.save(:validate => false)
end
To resend the email confirmation :
user = User.find(1)
user.send_confirmation_instructions
Hope this help !
Devise does this out of the box. Here is the info from the initializer:
# If true, requires any email changes to be confirmed (exactly the same way as
# initial account confirmation) to be applied. Requires additional unconfirmed_email
# db field (see migrations). Until confirmed new email is stored in
# unconfirmed email column, and copied to email column on successful confirmation.
config.reconfirmable = true
In confirmable module you may see how it works.