ping. Didn't hear whether the Temporary Code addition to reset password
was or about back to login links/"Cancel" button.
On 8/16/2015 5:26 PM, Bill Burke wrote:
Here's what I did, I can change things based on questions I asked
other emails, but here's how it works.
There's now the concept of "reset password" and a different one
* Reset password is something the user initiates. This will start an
Authentication Flow and success will login the user and bring them to
* Change password is something initiated by an admin. This just sends
an email to the user to reset their password and does not start an
Reset Password changes:
* A Temporary Code is included in the Email in addition to a clickable
* When a user requests to be sent an email, they are brought to a new
screen. This screen allows the user to alternatively enter in the code
from the email rather than clicking on a link.
* Temporary codes can only be entered once. If it is entered wrong,
user has to start login process all over again.
* Links can only be clicked once.
* The "Enter code" screen is shown with a success message even if a bad
username or email is entered. This is how it worked before. I'm
guessing this is here to avoid guessing email/usernames?
Change Password changes:
* It is a different email than Reset Password as there is no code
* Should we get rid of the "back to login" links and instead have a
"Cancel" button? This applies to registration
* Should "Enter code" screen show a success even if the username/email
was invalid? Do we need to protect hackers from guessing usernames?
JBoss, a division of Red Hat