Reset account password

[liamjack]

No description provided.

[colinajd]

I would love to contribute and I was wondering, what behaviour you want for password resets?

[liamjack]

I was thinking of using JWT in the same way it is used for the activation email, just need to ensure that the token validity is pretty short (10 minutes ?).

[colinajd]

Ok yeah I already started doing that. I was thinking that it would be good to return the same message whether or not the user email is found but just add an attempt or something.

[liamjack]

Absolutely, I need to think about the whole attempt system before implementing.

[colinajd]

Whenever you get time you could put up some idea of implementation, and I could start work

[liamjack]

Sure I'll try and find some time this evening and get back to you :)

[liamjack]

Maybe just a basic database table with ip_hash, count and last_attempt_date: ip_hash being a secure hash of the visitor's IP address (salted) so that the information remains non-identifying, count being the number of attempts and last_attempt_date being the datetime of the last failed attempt, to decide whether to forget about previous attempts if older than a pre-defined time (1 hour ?) or to increment.

[colinajd]

Okay cool, I should have some stuff ready for a PR at some point soon.