[Feature Request] Implement actual forgot password rather than using magic links #756
Replies: 3 comments 2 replies
-
You can create a custom Magic Links. And then apply the desired changes. shield/src/Controllers/MagicLinkController.php Lines 88 to 89 in 3412fac
I'm not good with this implementation, I think checking the Barracuda IP (if it's static) is a better way. |
Beta Was this translation helpful? Give feedback.
-
|
The code that deletes the magic link token is here: shield/src/Controllers/MagicLinkController.php Lines 159 to 160 in 3412fac |
Beta Was this translation helpful? Give feedback.
-
|
What is "an actual stand alone Forgot my Password feature" ? |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the responses guys.
Unfortunately, if this was my only concern, I could just whitelist my website IP in Barracuda to not sniff these emails. However, other users may be on different email domains and I don't want to have to tell them to add a rule to their system. It would often be denied.
I mean the traditional method where you are sent a link to actually change your password. Generally, this is not a one time use magic link so the user can click the link in their email as many times as they want within some threshold, usually time. Similar to the below examples. https://forum.codeigniter.com/member.php?action=lostpw Either way, I know you guys are busy and nobody else has brought this up. So I don't want you guys implementing something for a minority. I'm still getting to grips with Shield so at this stage. not deleting the magic link but setting a very low timeout will work for me. It just l eaves me with a small maintainability issue upgrading Shield. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for explanation.
Then, customize shield/src/Controllers/MagicLinkController.php Lines 159 to 160 in 3412fac Magic link token has expires. So you would be able to click the link as many times. |
Beta Was this translation helpful? Give feedback.
-
Hi guys,
I've started researching Shield over the past few days and love it. However, I have a funcamental issue with Magic Links.
My understanding of Magic Links to allow a user to login without knowing the password is a great idea. However, it doesn't work in my scenario. We use Barracuda cloud based email anti phising in front of our email server. It works by visiting every link in an email, determine if it's safe, then either deliver or quarantine. The problem with this is that once Barracuda sniffs the magic link, that link is then deleted from the database, therefore it will never work for the intended user.
My obvious workaround is to whitelist our website in Barracuda, however, that only helps users under my domain, not our customers / visitors etc. Obviously, our company is in a niche segment in that most people do not implements this soft of anti phish sniffing. It would be impractible to ask all users to implement our fix on their email system [if required].
I've searched this discussion group and all issues, open and closed. Every mention of "Forgot Password" revolves around first obtaining a magic link then processing forgotPassword.
Is there any wiggle room on the roadmap to implement an actual stand alone Forgot my Password feature when not authenticated and excluding any Magic Link functionality?
Alternatively, allow configuration of Magic Links to be used 2 times [configurable] within the [hourly] timeout. This would be a potential security issue but one I'd be welcome to live with, if I narrow the timeout to 5 or 10 minutes.
Regards
Keith
Beta Was this translation helpful? Give feedback.
All reactions