Skip to content

Latest commit

 

History

History
35 lines (23 loc) · 1.87 KB

user.forget_password.md

File metadata and controls

35 lines (23 loc) · 1.87 KB

Payload

{
  // Required
  email: string;
}

Action

A user can change their password by this action without being authenticated. To perform a changing of their password the user enters their email-address. The client then sends a hard-coded reset email to the given email-address (as email). TODO: translations

Regardless if the email-address is used by a user, the client shows the user a successful message (for example "An email was successfully sent to the given email-address"). This is necessary to avoid filtering which email-address is used by an OpenSlides-user.

In the case that an email-address is used by a user, an email is sent to that email-address with the given text including a link to set a new password. If multiple users use the same email address, one email is sent per user. The link redirects a user to <domain>/login/forget-password-confirm?user_id=<user_id>&token=<token>. As you can see, the user_id of the user and a token are given as query-parameters. The token is a jsonwebtoken (specified by RFC7519), which is self-contained and up to ten minutes valid. The user_id and the email-address (as email) are given as payload to the token. Furthermore, the token is signed. The secret to sign the token is the secret which is used to sign access_tokens. The algorithm HS256 will be used. The token is given as a base64-encoded string.

To confirm the changing of the password, the action user.forget_password_confirm has to be performed.

Email text:

You receive this email, because you have requested a new password for your OpenSlides-account.

Please open the following link and choose a new password:
<link>

For completeness your username: <username>

Permission

None, but action raises action error, if saml_id of user is set