Good morning my friends, I think I finally found a happy path to the password reset workflow. To eat my own dog food, I wrote the whole interaction with AGJS (thanks a lot Luke for your patience). 

Details about the project:

url: https://github.com/abstractj/password-reset/
tag: 0.1.0
Dependencies: The following PR must be locally installed https://github.com/aerogear/aerogear-crypto-java/pull/14

The package “api” is what I would suggest to move to another project like ag-security for example and the other packages are mostly up to the implementer. 

Configuration files:

- The project has 2 configuration files

web.xml: 

        <init-param>
            <param-name>url</param-name>
            <param-value>http://localhost:8080/password-reset/</param-value>
        </init-param>
        <init-param>
            <param-name>redirect-page</param-name>
            <param-value>/reset/update.html</param-value>
        </init-param>

The “url” parameter is used by the project to provide the urls like: http://localhost:8080/password-reset/reset?id=CMZXGXLg%2Fw7nCBrlmEB%2BO6iDMHzxNSf8cD5idyDxS8U%3D and “redirect-page” is the page to be redirected when the correct token id is provided.

config.properties:

secret_key = "d9eb5171c59a4c817f68b0de27b8c1e340c2341b52cdbc60d3083d4e8958532" \
               “18dcc5f589cafde048faec956b61f864b9b5513ff9ce29bf9e5d58b0f234f8e3b"

“secret_key” will be the passphrase used by PBKDF2 to HMAC a new token and can’t be shared.

How to test it?

- git clone https://github.com/abstractj/password-reset/ && cd password-reset && mvn clean package 

Scenarios for testing:

- Workflow I

1. Open http://localhost:8080/password-reset/ at your browser
2. Input whatever e-mail and click on reset
3. At your console an URL will be printed at your logs. For example: http://localhost:8080/password-reset/reset?id=CMZXGXLg%2Fw7nCBrlmEB%2BO6iDMHzxNSf8cD5idyDxS8U%3D
4. Copy & paste it into your browser
5. If everything went well, you will probably see the update page. Input the e-mail, new password and the confirmation
6. Now try to send a request to the same URL and you will get a 404 (This is intentional, because the token was used & destroyed)

- Workflow II

1. Try to request the update.html page
2. You should get a 404 because you’re not allowed to do it without a valid token

- Workflow III
1. Try to request http://localhost:8080/password-reset/reset/?id=“Some random or repeated id here”
2. You should get a 404 because you’re not allowed to do it without a valid token

- Workflow IV
1. Change the value of https://github.com/abstractj/password-reset/blob/master/src/main/java/org/abstractj/model/Token.java#L22 to -10 for example.
2. Input whatever e-mail and click on reset
3. At your console an URL will be printed at your logs. For example: http://localhost:8080/password-reset/reset?id=CMZXGXLg%2Fw7nCBrlmEB%2BO6iDMHzxNSf8cD5idyDxS8U%3D
4. Copy & paste it into your browser
5. You should get a 404 because this token has already expired.

Open questions

- The usability is easy, tricky..the configuration files are too much?

- Where the package “api” should be added? ag-security? nowhere?

- Is the workflow ok for you?

Thoughts, suggestions?

--
abstractj

_______________________________________________
aerogear-dev mailing list
aerogear-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev