Add Code Password Reset to the Bootstrapper

[paribaker]

This topic has come up a couple of times, at the moment the pre-built password reset flow does not work for mobile. Instead we set up the webapp to handle the password reset for mobile (including mobile only builds).

@eliasbiagioninc

Hey team @here! Mikael and I were considering adding a new approach for reset password in the bootstrapper. Now, when we make a request to reset password, it generates a token that must be send through this endpoint api/password/reset/confirm/str:uid/str:token/ to set the new password.
The approach we wanted to add is one where the BE generates a 5 numbers code and send it by email to the user. This would be better, especially on mobile where the user will click Reset Password and then be directed to a screen that says Enter the code sent to your email to reset your password . Once they submit the code, they will be directed to reset their password in the app on another screen. Also it's easier to copy a 4 digit code from email than a token string.
With this, we'd be removing the password reset token approach, what do you think?

@paribaker

Was thinking about this and in app links, while they are cool and eventually we’ll have a client that needs them, they are a bit of a pain. The plan is to use a 4 digit code email/text.
Is there any reason why we still use the password reset email link? I don’t think I’ve used an app recently that doesn’t send me a code, even if they are just web apps.

A summary of comments so far :

The team is discussing whether to switch from password reset email links to 4-digit codes for resetting passwords. Ed mentions he prefers links but sees that codes might be easier for mobile apps. Pari suggests a hybrid approach that includes both a code and a link for autofill. William raises security concerns about code guessing and notes that tokens in links are more secure. Ed concludes that switching to codes doesn't save much in terms of development effort and reaffirms the potential of magic links for logins and password resets. William adds that push notifications could be used for mobile, and Pari notes an existing implementation in Hive that needs a 10-minute expiration for codes.

Mikael and Elias propose adding a method where a 5-digit code is emailed for password resets, which users then enter in the app. This would be easier for mobile users and save development time on web app pages. Ed agrees it could save front-end development work on mobile-focused projects but points out that security concerns must be addressed, including quick expiration and cooldown for codes. Elias supports adding the functionality to both back-end and front-end by default.

[whusterj]

Security Suggestions:

• Use a 6 or 7 digit code for significantly more combos, ~500k and ~4.7M, respectively
• Limit the request rate: do not allow rapid guessing
• Expire codes after 5 minutes
• require both the email and the code on the validation API endpoint

[paribaker]

Limit the request rate: do not allow rapid guessing
require both the email and the code on the validation API endpoint
Maybe the the current set code could be automatically disabled after three failed attempts to enter a code for that email? Meaning there would not be any code set for that user until they re-request one.

[paribaker]

probably also an eventual cool down time for requesting a new code after a 5 requests within an hour

[oudeismetis]

I like the idea of auto-expiring any active code for a user after X failed guess. Could then prevent new reset emails from being sent if X * Y failed guesses happen.