User Story #183
Updated by Bricklou about 10 hours ago
When a user forgot its password, he can request a link allowing him to reinitialize it. About the The email sending: - Always give a feedback about a mail being sent, even is sent only if the account doesn't exists : this prevent enumeration listing. (i.e. "if the account exists, a link will be sent by email") - rate limit the forgot password request. (i.e. max 3/hours) A new link with a randomly generated token will be send to the user so he can proceed further. About the generated link: - It has one time use and contains a randomly generated opaque token linked to his account. - It expires if no one clicked on it in the following 2 hours. - If a link has already been generated, invalidate it and generate a new one. validated its email before hand.