Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Describe Forgot Password functionality? #51

Open
heymarkreeves opened this issue Nov 20, 2014 · 20 comments
Open

Describe Forgot Password functionality? #51

heymarkreeves opened this issue Nov 20, 2014 · 20 comments
Assignees

Comments

@heymarkreeves
Copy link
Member

Hi, Liam!

I think you said that Forgot Password support is now in the API (and we're scoping the screens to support it in the UI). Can you let me know the steps you're supporting? I'm assuming that we're starting with a new screen where you can enter your email -- What happens next?

  • Does the user get a temp password?
  • Does the user get a special link?
  • Does the user need to set a new password?
  • Can they just use an issued password until they decide to change it?

Thanks!

Mark

@heymarkreeves
Copy link
Member Author

This is under:

Forgot password functionality (includes creating 2 new screens)

@mailbackwards
Copy link
Collaborator

Hi Mark! I just added documentation for the forgot-password functionality in API_ENDPOINTS.md (see this commit for the changes). Here's how we currently envision it working:

  • Screen 1 would just have an email field for the user to fill in, and this email gets sent in a PATCH request to /registrations, which sends that user a password-reset email
  • The reset email contains a link to Screen 2 (at a URL of your choice), along with a password reset code as a query parameter
  • Screen 2 would have a new-password and new-password-confirmation field. When the user submits this, the password, confirmation, and reset code (from the query parameter) all get sent as a PUT request to /registrations, which updates the user's password.

How does this sound as a solution? Let me know if anything seems unclear or problematic about this setup. Thanks!

@heymarkreeves
Copy link
Member Author

This sounds clear and user-friendly – We'll proceed with this as assumptions. Thanks!

@SherriAlexander
Copy link
Collaborator

Hey there! Quick question about how to handle an unsuccessful response for the PATCH /registrations endpoint (Screen 1). I'm assuming that a 404 response would generally be caused by entering an email that the system doesn't recognize, is that correct?

Would you want to show a separate screen with appropriate verbiage at that point and a link to sign up (in case they haven't signed up yet), or just show the same Forgot Password? screen with the message as an error underneath the "Email" field?

Thanks!

@SherriAlexander
Copy link
Collaborator

(I'm going to assume that I'll have it return an error message on the same form, as it's the same way we've handled a similar error on Sign In, but figured I should ask just in case)

@SherriAlexander
Copy link
Collaborator

Hey there, all! I do have another quick question about Screen 2.

The comment above says that there should be only 2 fields on Screen 2: a password field, and a confirm password field. The reset password token will be provided by the querystring on the emailed link.

But the other field that's required by the API endpoint is the email address -- and there's no current way for the form to get that information.

Should I add another field to Screen 2 for the email address?

Also, the filename that I've set up for the password reset is "forgot-password-reset.html", if we could add that to the link in the email that gets sent out by Screen 1? Thanks!

@mailbackwards
Copy link
Collaborator

Hi Sherri,

The API endpoint PUT /registrations should not need an email address-- it should only need a password, password_confirmation, and reset_password_token (from the query string). Given those 3 parameters, the API should be able to recognize the user, update their password then return a JSON user object. Does that work?

I just updated the email template to link to "http://staging.artx.clearbold.com/forgot-password-reset.html". The API doesn't know the domain of the frontend, so for now the domain is hardcoded to your staging site. Later on I can turn it into a configurable staging/production setup. How does that sound?

Thanks!
Liam

@SherriAlexander
Copy link
Collaborator

Hey there! Ah, okay -- I was going by the API documentation at the commit linked above, which listed "email" as a required field for the password reset on Screen 2. Sorry about the confusion there! If those three parameters are enough, I should have enough to work with there.

Thank you for updating the email template! It's okay if it's a static link for now, most likely I'll be copying the link from the email and altering the host to be my localhost for testing anyway. :)

Thanks!
--Sherri

SherriAlexander added a commit that referenced this issue Dec 22, 2014
…ign in, adding in more password reset functionality (Github issue #51)
@SherriAlexander
Copy link
Collaborator

Hi Liam!

I've made some progress with the Forgot Password functionality (I still need to get some more error handling in there, but it's a good start), and I had a quick question for you about the API backend for the password reset part.

I have the password reset form set up, and it all seems to be submitting correctly. I'm sending a PUT request with the password and password_confirmation values, and I send the reset_password_token from the email in a beforeSend function (setting it as a request header, like the authentication tokens elsewhere in the scripts). The Ajax call is returning success. But it seems that the password is not actually being changed by the API. When I go to log in, it still only responds to the old password, not the new one I just set. Could you double-check that everything is working as expected on the API end? Thanks!

@mailbackwards
Copy link
Collaborator

Hi Sherri, I'm very sorry for the long delay here. I should have tackled this before the holidays, and once I didn't, it slipped my mind...

I just looked into it and found that the API was looking for the reset token in the POST data rather than in the request header. I've updated the controller so that it should now be checking the header for a token first, then the POST data as a backup. So it should be working now, let me know if it still has trouble. Thanks!

@SherriAlexander
Copy link
Collaborator

Hey there, Liam!

Still running into some problems -- I just pushed my work in progress up to the staging server, but I'm getting a JS error there that I wasn't getting from my locally hosted machine.

The PUT request being triggered by the forgot-password-reset.html form is apparently causing a 405 error (below) -- is this something that could be corrected on your end?

Failed to load resource: the server responded with a status of 405 (Method Not Allowed)

Thanks!

--Sherri

@mailbackwards
Copy link
Collaborator

Hi Sherri!

Checking the logs, the request doesn't seem to be reaching our server-- when I try to submit the form, I get the following error headers:

image

So it looks to me like the 405 is coming from the staging site rather than the API. The submit form in forgot-password-reset.html is triggering a POST here which the staging site doesn't seem to like (whereas the localhost might've let it through).

Let me know if that helps, or if I can do anything on my end. Thanks!

Liam

@SherriAlexander
Copy link
Collaborator

OK -- it was actually my error in correctly parsing the querystring, sorry about that (got caught by the difference between the raw Mandrill string and the parsed URL it generates)! That piece has now been fixed, no more 405 errors. :)

However, it still seems that the password reset is not actually taking place. I just tested it out on staging (trying to change my password from "password" to "wordpass"). The email came through, I used the link in it to get to the "change the password" form, the Ajax request for changing the password returned "successful". Then I try to log in with the new password and I get the 403 "Authentication failed" error. If I log in with my original password, it works.

Could you take a peek at the logs to see what might be happening? Not sure where the problem lies, as everything appears to be working correctly from the front end, though it's possible I'm missing something. Thanks!

@mailbackwards
Copy link
Collaborator

Whoops, there were a couple errors going on! Sorry about that. I've pushed up some fixes and the password reset functionality is now working for me on staging. See if it works for you now.

@SherriAlexander
Copy link
Collaborator

Hey there, Liam!

Hmm...both my local site and the staging site have stopped pulling in data completely. Has something changed on the back end that I need to update as well? Thanks!

@heymarkreeves
Copy link
Member Author

@SherriAlexander I have an email to share with you on this :) Sorry for the delay!

@SherriAlexander
Copy link
Collaborator

Luckily, we have the backend API URL defined just once as a variable, makes it easy to replace!

Liam, looks like you'll need to manually edit this on the http://artbotapp.com site for now -- in the scripts-concat.min.js file, search for the following snippet:

jsonDomain:"http://artx-staging.herokuapp.com"

and change that to :

jsonDomain:"http://artbot-api.herokuapp.com"

That should do the trick. :)

@SherriAlexander
Copy link
Collaborator

I just tested out the Forgot Password functionality, and it all seems to be working as intended now. Thanks for working through it with me, @mailbackwards! :)

@mailbackwards
Copy link
Collaborator

Great! And http://artbotapp.com is getting live data again. Thanks!

@heymarkreeves
Copy link
Member Author

This one's ready for the team to test on http://staging.artx.clearbold.com/

You'll want to clear out your cache first. We'll look forward to your feedback!

Mark

/cc @desigonz @mailbackwards

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants