Projects tigase _server server-core Issues #1122
Add PASSWORD-RESET SASL mechanism (#1122)
Andrzej Wójcik (Tigase) opened 5 years ago

It would be good to have a SASL mechanism allowing user to reset his password.

Here is a workflow which could work:

  1. A client tries to authenticate using SASL (ie. PLAIN or SCRAM-*)
  2. If authentication fails a client checks if PASSWORD-RESET SASL mechanism was available. If so, it presents a user with a choice to either enter password again or try to reset password.
  3. If user decides to reset password, the client connects to the XMPP server and uses the PASSWORD-RESET SASL mechanism.
  4. The server responds with a SASL challenge (kind of an XMPP data form) which should contain the email field for the user to specify email address to use during password reset (we should use the form as other fields ie. 2FA token field could be added later on).
  5. The client submits filled form to the server (still as part of SASL) and the XMPP server validates provided values (ie. if provided email address matches email address provided during account registration).
  6. If there were no issues, the server triggers a password reset by sending an email to the user with a password reset link.
  7. The server responds with an authentication error but marks "somehow" that the password reset link was sent.
  8. The user opens a received email and uses a sent link to reset his password.
  9. The user updates his client with a new password.

Before adding this mechanism, it would be good to check if no other XMPP server supports that. If any does, it would be good to "follow" it schema to have unified mechanism.

This task if for server-side work. When finished we can work on client-side implementations.

wojciech.kapcia@tigase.net batch edited 7 months ago
Name Previous Value Current Value
Iterations
empty
Candidate for next minor release
issue 1 of 1
Type
Task
Priority
Normal
Assignee
Version
Candidate for next minor release
Issue Votes (0)
Watchers (2)
Reference
tigase/_server/server-core#1122
Please wait...
Page is in error, reload to recover