this post was submitted on 18 Sep 2023
1 points (100.0% liked)

PostFreely

1 readers
0 users here now

Community for PostFreely. PostFreely is a simple light-weight way of posting long-form articles & blogging on the Fediverse. PostFreely is an actively maintained fork of WriteFreely.

founded 1 year ago
MODERATORS
 

I am investigating improving password resetting in the PostFreely applications.

PostFreely inherited limited password reset abilities. I am now looking at improving this. And making it so that PostFreely has a more comprehensive set of methods for resetting passwords.

Please reply with your comments, questions, complaints, and any other feedback.


A basic operation of many (maybe most) applications is signing-in.

There are many different techniques an application could offer its users to enable them to sign-in.


For example —

  • e-mail address and one-time auth-code (sent to said e-mail address),
  • finger-print recognition,
  • user ID & time-based one-time password,

PostFreely currently does something different.

Currently PostFreely offers a popular, well-known method for its users to use to sign-in —

  • e-mail address & password.

A trade-off with using passwords, as PostFreely does, is that people sometimes forget their passwords.

A solution to this problem is — resetting a user's password.


Currently PostFreely only has two methods for resetting the password:

  1. a technical sysop with access to the command-line on the server uses the postfreely executable file to interactively reset the user's password to some value,
  2. an administrator uses a web-based method to reset a user's password.

Some problems with this are —

  • currently a user cannot reset their own password,
  • currently an administrator's password cannot be reset — if they or someone else cannot directly access the server, or if they are not comfortable using a terminal-emulator,
  • currently there are not any good ways of automating password resets via 3rd party tools.

Plan

PostFreely should have a more comprehensive set of methods to reset passwords —

  • a user should be able to reset their own password from the web-site,
  • a technical sysop should have a non-interactive way to reset a user's password from the command-line, so that it lends itself to automation,
  • a special API should exist for resetting any password including the admin, so that a technical sysop can use it for automation,
    • (special care needs to be paid attention on how to secure this.)

Please reply with your comments, questions, complaints, and any other feedback.


⸺ Charles Iliya Krempeaux ( @[email protected] )

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here