<div dir="ltr">Thanks for having working this out ! <div>Some comments inline</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Dec 5, 2013 at 12:38 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Good morning slackland, here comes the basic idea about password reset:<br>
<br>
Some considerations to keep in mind:<br>
<br>
1. E-mail in an insecure channel, for this reason we won’t build any functionality to “remember” the password, only reset. <br>
2. It must be provided over SSL<br>
3. We are not NSA proof, so this is just a prototype to validate ideas.<br>
<br>
<br>
Details about the prototype:<br>
<br>
1. The place to store the Token is totally up to the implementer: keystore, PicketLink or whatever database<br></blockquote><div><br></div><div style>Okay but in the case of Unified Push Server what would be your advice (PicketLink ? since we alreadu using it _</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
2. The url to reset the password is built with PBKDF2 + authenticated one-way hash function (HMAC), which means there’s no way you can pull the url id back out. Into this way we are avoiding 2 issues: rainbow table attacks and tampering, into other words an attacker will have a hard time to brute force it, as well trying to corrupt the message. <br>
3. This example doesn’t not validate e-mail address or have a login.<br>
<br>
- Token table<br>
<br>
- id: the hashed message generated and encoded in Base64 (Is possible to be an hexadecimal)<br>
- sentAt: the date and time when the token was sent to someone else<br>
- expiration: token expiration. Default’s to 1 hour.<br>
- used: if the token was used or not. I implemented it into this way, but being paranoid I would suggest to just delete that record, if the token was used.<br>
<br>
- ExpirationTime class: just a class to deal with time and check if the Token has expired.<br>
<br>
- TokenService class: just a class to manipulate the tokens into the database<br>
<br>
- Endpoint workflow:<br>
<br>
- /rest/forgot<br>
1. User input the e-mail<br>
2. E-mail is validated against the database<br>
3. An URL to reset the password is sent<br>
<br>
Ex: curl -v -H "Accept: application/json" -H "Content-type: application/json" -d '{"email”:”<a href="mailto:john@doe.com">john@doe.com</a>"}' -X POST <a href="http://localhost:8080/password-reset/rest/forgot" target="_blank">http://localhost:8080/password-reset/rest/forgot</a></blockquote>
<div><br></div><div style>For first registrations, I presume it uses the same endpoint ? I'm thinking of this scenario : </div><div style>- An admin creates a new users just by providing a loginName.</div><div style>
- The backend creates the user and returns the url as explained above.</div><div style>- Admin sends the link to the user.</div><div style>- User click the link and set his password. </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
- /rest/reset<br>
1. User sends an HTTP request with the token id<br>
2. The id is validated against the database<br>
3. User is redirected to the reset password page<br>
4. The new password is configured<br>
5. token id is destroyed into the database or disabled<br>
Ex: curl -v -H "Accept: application/json" -H "Content-type: application/json" -X POST <a href="http://localhost:8080/password-reset/rest/reset\?id\=sQrYVLJvwQptgYAg46t%2B%2BfoLrWxaPmkMY6mmvCs%2F51M%3D" target="_blank">http://localhost:8080/password-reset/rest/reset\?id\=sQrYVLJvwQptgYAg46t%2B%2BfoLrWxaPmkMY6mmvCs%2F51M%3D</a><br>
<br>
<br>
Let me know what do you think and I can move forward implementing it.<br></blockquote><div><br></div><div style>Go Go Go ! </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Note: To build the project please make use of this PR <a href="https://github.com/aerogear/aerogear-crypto-java/pull/13" target="_blank">https://github.com/aerogear/aerogear-crypto-java/pull/13</a>. A bug was found on ag-crypto-java.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<br>
-- <br>
abstractj<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></font></span></blockquote></div><br></div></div>