It would be good to have a SASL mechanism allowing user to reset his password.
Here is a workflow which could work:
A client tries to authenticate using SASL (ie. PLAIN or SCRAM-*)
If authentication fails a client checks if PASSWORD-RESET SASL mechanism was available. If so, it presents a user with a choice to either enter password again or try to reset password.
If user decides to reset password, the client connects to the XMPP server and uses the PASSWORD-RESET SASL mechanism.
The server responds with a SASL challenge (kind of an XMPP data form) which should contain the email field for the user to specify email address to use during password reset (we should use the form as other fields ie. 2FA token field could be added later on).
The client submits filled form to the server (still as part of SASL) and the XMPP server validates provided values (ie. if provided email address matches email address provided during account registration).
If there were no issues, the server triggers a password reset by sending an email to the user with a password reset link.
The server responds with an authentication error but marks "somehow" that the password reset link was sent.
The user opens a received email and uses a sent link to reset his password.
The user updates his client with a new password.
Before adding this mechanism, it would be good to check if no other XMPP server supports that. If any does, it would be good to "follow" it schema to have unified mechanism.
This task if for server-side work. When finished we can work on client-side implementations.
wojciech.kapcia@tigase.netbatch edited7 months ago
It would be good to have a SASL mechanism allowing user to reset his password.
Here is a workflow which could work:
PASSWORD-RESET
SASL mechanism was available. If so, it presents a user with a choice to eitherenter password again
or try toreset password
.reset password
, the client connects to the XMPP server and uses thePASSWORD-RESET
SASL mechanism.email
field for the user to specify email address to use during password reset (we should use the form as other fields ie. 2FA token field could be added later on).Before adding this mechanism, it would be good to check if no other XMPP server supports that. If any does, it would be good to "follow" it schema to have unified mechanism.
This task if for server-side work. When finished we can work on client-side implementations.