Password reset page

That is indeed how it should go, the hash must be something unique with which you can identify the user. For example you could create a hash of the email address and the current password hash to verify the user.

{{ user.email.sha1(user.password) }}

When the user is verified you can safely update the password field with the hash of the new password supplied by the user.

2 Likes

@patrick ok I’ll check that then!

OK, Finally working on this

I got the form set up and it sends a link that includes the e-mail and then the user id encrypted like below.

http://mywebsite.com/Passwordreset.php?email=user@email.com&id=3d45d37d3666b2723ccd1164a85dd32e6c58c5ca4d2c8ac0fa8956df554d9764

How do I convert the hashed user id back to a user ID to verify on the page so I can update the password.

1 Like

@George you marked this as a solution but I’m not all the way there, The ending asked the question how I pass id to the linked page (decrypt) the data?

@rokit would be nice to have some explanation if you have it working! Screens , steps I think that topic is earlier or later needed by most people

Hashed values cannot be “decrypted” - that’s why they are used for storing sensitive data securely :slight_smile:
There is no need to hash the user id when sending it with the URL.

Instead of an ID (if you don’t want to include IDs in the URL) you can use some timestamp or guid field in your database to send with the email in the URL.

As @Teodor stated, you can’t decrypt the hash.

What you must do is recreate the hash identically in the server action from the database values and compare it against the hash passed from the link

2 Likes

Ok so “essentially” the link is a temporary password. If someone can read the e-mail they have what they need to reset the password ?

I’m thinking I update the password field to the hash and set my “last update” field to 1 day later, Then on the password page if the lastupdate < (now) I hide the reset form and display a message that they took too long?? would that work?

It seems like it would be better to have them provide a temporary password when they submit the reset form. Then when they return from the link they have to [provide that reset password that only they know.

Actually NO, if you use the email hashed with the password then as soon as the password is changed the hash is no longer valid

lets check that workflow here:

Im at the airport now on Phone and can‘t check everything properly, but I guess thats well written here:

Hi Guys,
In the next few days, i am going to setup a tutorial on how to create the password reset functionality with Wappler:

  • Reset password page + send new password link server action
  • New password page + update password server action
4 Likes

image

3 Likes

Here’s Part 1: Password Reset Functionality: Part 1

It explains how to setup the request new password page and the server action which generates a hash, and sends the dynamic link, containing this hash to the user’s email.

Hope to finish Part 2 tomorrow.

2 Likes

Just to clarify. You say here it is impossible to “decrypt” the password however in your (helpful) tutorial you send the existing password with an encryption method and a hash. When the user returns to that page you use the same encryption method and hash to “compare” the posted information to validate that entry. This is what I meant by “decrypt”

That is called comparing hashes, you decrypt nothing.

hash1 = email.sha1(password)
hash2 = email.sha1(password)

you compare the results of both. If a password(the salt value) has changed, the hashes won’t match.

Thanks, when I was originally asking I didn’t know what to call it

when I setup my original login page I use sha256, your tutorial uses sha1. Now. I’m wondering which to use?? (all of my users passwords will need updated because the were in text - yikes) is the biggest difference field size?

As it is explained in the tutorial - use whatever hash method you like - sha1 or sha256 - it doesn’t matter.
Use whatever method you are currently using.

As I asked in my question - is the biggest difference field size? I’m at a point where I could change so I was seeking your advice. I apologize, I will search for my answer elsewhere.

It’s not only the length. There are plenty of articles on this topic if you google. Here’s a discussion as well: https://stackoverflow.com/questions/2640566/why-use-sha1-for-hashing-secrets-when-sha-512-is-more-secure

Wikipedia: https://en.wikipedia.org/wiki/Secure_Hash_Algorithms