Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DECIDED] Password recover #77

Open
OlegSuperBro opened this issue Oct 25, 2024 · 11 comments · May be fixed by #93
Open

[DECIDED] Password recover #77

OlegSuperBro opened this issue Oct 25, 2024 · 11 comments · May be fixed by #93
Assignees
Labels
🟠 priority: medium ✨ enhancement New feature or request ⚠️ discussion Discuss how to fix or implement something

Comments

@OlegSuperBro
Copy link
Collaborator

OlegSuperBro commented Oct 25, 2024

How to implement password recovery without breaking anon ideology?
Current ideas are optional email (if you want to recover password set email where recover message will be sent) and recovery codes (on registration give one time use codes to recover/reset password)

@OlegSuperBro OlegSuperBro changed the title Password Password recover Oct 25, 2024
@OlegSuperBro OlegSuperBro added ✨ enhancement New feature or request 🟠 priority: medium ⚠️ discussion Discuss how to fix or implement something labels Oct 25, 2024
@OlegSuperBro OlegSuperBro pinned this issue Oct 25, 2024
@froggy-jpg
Copy link
Collaborator

i think if the user will forget the password they will surely forget the recovery code as well, so going with the optional e-mail link seems to be the only reasonable option

@OlegSuperBro
Copy link
Collaborator Author

I should clarify what I mean by "recovery codes." These are a set of onetime use codes that users can download or copy from the settings page. Once it used, you can't use it again. If all codes are used user should generate a new ones

@froggy-jpg
Copy link
Collaborator

sounds inconvenient tbh, i think going with the (optional) email would be better

@froggy-jpg
Copy link
Collaborator

speaking of, if we are going to use email recovery, it wouldnt hurt to have some kind of privacy policy

@OlegSuperBro
Copy link
Collaborator Author

that's one of the reasons i prefer recovery codes
Second reason: does anyone know how to setup email service to send messages? i think it's kinda hard

@froggy-jpg
Copy link
Collaborator

well, you can do it your way, i just dont think that storing those codes is safe or convenient enough

@OlegSuperBro
Copy link
Collaborator Author

in theory, to generate codes we can use striped hash of current password hash and username. Then we don't need to store it anywhere. I don't think it's possible to get password hash without access to database

@froggy-jpg
Copy link
Collaborator

i mean storing codes for the user, not for us

@OlegSuperBro
Copy link
Collaborator Author

Well, at least github and discord use it as recovery option. Email is better, i agree, but it will be harder to setup than codes.
So... i prefer codes over email

@froggy-jpg
Copy link
Collaborator

well, something is better than nothing for sure, i have no objections then, hopefully we can come up with something better in the future though

@OlegSuperBro
Copy link
Collaborator Author

Okay, then discussion is closed, i'll go work on it

@OlegSuperBro OlegSuperBro self-assigned this Oct 28, 2024
@OlegSuperBro OlegSuperBro changed the title Password recover [DECIDED] Password recover Oct 29, 2024
@OlegSuperBro OlegSuperBro unpinned this issue Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🟠 priority: medium ✨ enhancement New feature or request ⚠️ discussion Discuss how to fix or implement something
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants