Good morning slackland, here comes the basic idea about password reset:
Some considerations to keep in mind:
1. E-mail in an insecure channel, for this reason we won’t build any functionality to
“remember” the password, only reset.
2. It must be provided over SSL
3. We are not NSA proof, so this is just a prototype to validate ideas.
Details about the prototype:
1. The place to store the Token is totally up to the implementer: keystore, PicketLink or
whatever database
2. The url to reset the password is built with PBKDF2 + authenticated one-way hash
function (HMAC), which means there’s no way you can pull the url id back out. Into this
way we are avoiding 2 issues: rainbow table attacks and tampering, into other words an
attacker will have a hard time to brute force it, as well trying to corrupt the message.
3. This example doesn’t not validate e-mail address or have a login.
- Token table
- id: the hashed message generated and encoded in Base64 (Is possible to be an
hexadecimal)
- sentAt: the date and time when the token was sent to someone else
- expiration: token expiration. Default’s to 1 hour.
- used: if the token was used or not. I implemented it into this way, but being paranoid
I would suggest to just delete that record, if the token was used.
- ExpirationTime class: just a class to deal with time and check if the Token has
expired.
- TokenService class: just a class to manipulate the tokens into the database
- Endpoint workflow:
- /rest/forgot
1. User input the e-mail
2. E-mail is validated against the database
3. An URL to reset the password is sent
Ex: curl -v -H "Accept: application/json" -H "Content-type:
application/json" -d '{"email”:”john@doe.com"}' -X POST
http://localhost:8080/password-reset/rest/forgot
- /rest/reset
1. User sends an HTTP request with the token id
2. The id is validated against the database
3. User is redirected to the reset password page
4. The new password is configured
5. token id is destroyed into the database or disabled
Ex: curl -v -H "Accept: application/json" -H "Content-type:
application/json" -X POST
http://localhost:8080/password-reset/rest/reset\?id\=sQrYVLJvwQptgYAg46t%...
Let me know what do you think and I can move forward implementing it.
Note: To build the project please make use of this
PR https://github.com/aerogear/aerogear-crypto-java/pull/13. A bug was found on
ag-crypto-java.
--
abstractj