Jump to content

The ultimate community for Ruby on Rails developers.


Password Reset Best Practices

password omniauth

  • Please log in to reply
2 replies to this topic

#1 jleecbd



  • Members
  • 4 posts

Posted 16 November 2013 - 04:44 AM

I'm using multiple omniauth strategies in an application, including identity.  I currently have it defined that if you do a password reset request, but you have not established identity as one of your authentication mechanisms, the system will not email a reset link.  This seemed like a good idea, but then I was wondering about those circumstances where maybe someone has forgotten that they haven't set that up, so request the reset.  It would be nice to basically use that as a means of creating the identity authentication.  Is there a good reason to not allow this?

#2 james



  • Members
  • 223 posts
  • LocationLeeds, U.K.

Posted 17 November 2013 - 09:09 AM

Just to clarify. The password reset option should only be available to someone who has used identity. If they have forgotten their github password for example then they should request reset through that account not through you. Does that help?

Programming is just about problem solving!

#3 jleecbd



  • Members
  • 4 posts

Posted 20 November 2013 - 04:43 AM

Yes, I'm not providing reset capabilities for other methods they might have defined.  I'm just envisioning a use case where they come to the app, believe they had created an identity login before, but really hadn't.  If they request a password reset, the system will simply not send it, but will act as if it did.  I did that, in part, to avoid someone trying out various emails looking for a real one.  All are treated as real.


The more I think about it, I think I'll just leave it be.  I prefer to have the user purposely define the identity.

Also tagged with one or more of these keywords: password, omniauth

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users