I am investigating improving password resetting in the PostFreely applications.
PostFreely inherited limited password reset abilities. I am now looking at improving this. And making it so that PostFreely has a more comprehensive set of methods for resetting passwords.
Please reply with your comments, questions, complaints, and any other feedback.
A basic operation of many (maybe most) applications is signing-in.
There are many different techniques an application could offer its users to enable them to sign-in.
For example —
- e-mail address and one-time auth-code (sent to said e-mail address),
- finger-print recognition,
- user ID & time-based one-time password,
PostFreely currently does something different.
Currently PostFreely offers a popular, well-known method for its users to use to sign-in —
- e-mail address & password.
A trade-off with using passwords, as PostFreely does, is that people sometimes forget their passwords.
A solution to this problem is — resetting a user’s password.
Currently PostFreely only has two methods for resetting the password:
- a technical sysop with access to the command-line on the server uses the
postfreely
executable file to interactively reset the user’s password to some value, - an administrator uses a web-based method to reset a user’s password.
Some problems with this are —
- currently a user cannot reset their own password,
- currently an administrator’s password cannot be reset — if they or someone else cannot directly access the server, or if they are not comfortable using a terminal-emulator,
- currently there are not any good ways of automating password resets via 3rd party tools.
Plan
PostFreely should have a more comprehensive set of methods to reset passwords —
- a user should be able to reset their own password from the web-site,
- a technical sysop should have a non-interactive way to reset a user’s password from the command-line, so that it lends itself to automation,
- a special API should exist for resetting any password including the admin, so that a technical sysop can use it for automation,
- (special care needs to be paid attention on how to secure this.)
Please reply with your comments, questions, complaints, and any other feedback.
⸺ Charles Iliya Krempeaux ( @reiver@mastodon.social )
I recommend support for MFA, Passkeys and Magic Link w cCaptcha
@dameoutlaw @reiver@flamewar.social
I added these to the backlog.
(As separate issues.)
So that we can look at the later.