Massive confusion regarding password resets. F-A-M / A-L-M

[bartduisters]

I am massively confused while implementing Password Reset through reset tokens.

After following along with the guide posted on the other repo (which has no code snippets, I had to contact the author to get a working link, found here) I got to the point where the email verification worked and was ready to implement password resetting.

Looking at the library itself I tried the following:

• Do a POST with the following body:

{
    "action": "sendResetPwd",
    "value": {
        "email": "[email protected]"
    }
}

• Get the 'resetToken' from the user.
• Do a POST with the following body:

{
    "action": "resetPwdLong",
    "value": {
        "token": "$2a$13$7pV8cawWwmDy3nufgvRjPeoy2l6dEC39UtFo86ozBYUdVG2jLzY0u",
        "user": {
            "email": "[email protected]"
        },
        "password": "here_my_password"
    }
}

This gives a 'Token is not in the correct format.' error.

So I went digging into the library code itself, I noticed that it had a .indexOf('___') somewhere and decided to check what it wants. It wants the user id, combined with ___, followed by the token. So I made the body look like this:

{
    "action": "resetPwdLong",
    "value": {
        "token": "5d47226499853a39a7778ca8___$2a$13$7pV8cawWwmDy3nufgvRjPeoy2l6dEC39UtFo86ozBYUdVG2jLzY0u",
        "user": {
            "email": "[email protected]"
        },
        "password": "here_my_password"
    }
}

This gives a 'Invalid token. Get for a new one. (authManagement)'. I noticed that in that piece of code, it expects the token without the id___ prepended to it. I then tried to change that part of the library, but then it does a bcrypt.compare of 2 similar hashed tokens.

After all these hours, I started to notice that there are 2 repos:

• feathers-authentication-management a.k.a. f-a-m which has feathers-local-management a.k.a. f-a-l on top of its README.md file.
• this repo authentication-local-management which has feathers-authentication-management on top of its docs.md file.

If it is not by intention to mismatch the terms, I can create PRs to use consistent terminology on both repos.

tl;dr
What is the path to follow to implement the email verification, password reset etc.?

Best regards
Bart

[shanemcgraw]

Running into this issue as well - any help would be greatly appreciated!

[bartduisters]

@shanemcgraw I ended up coding the minimal features myself. Based upon what f-a-m was doing.

I added user verification and password reset through email, where the email to send 'from' can be any SMTP mailbox (Gmail, Hotmail, Mailgun, custom mail server ...).

What it does not include: config options to deviate from the defaults of feathers (users service called 'users', unique verifier is a property named 'email').

If this is what you are looking for, let me know.

[shanemcgraw]

Ah, alas- that looks to be what I'll end up doing too. If you've got a snippet I'd love to see it!

[bartduisters]

It's more than just a snippet, the outline for the email verification part is as follows:

• Add properties to the user model to handle the verification (e.g. isVerified: boolean, verifyToken: string, verifyExpires: Date).
• Add a helper function to create a unique token.
• Add a hook to the 'create before' in users.hooks.js to add these properties (and use the helper function to create a unique token to assign to verifyToken).
• Add a class object that is able to send out emails (I used nodemailer-smtp-transport), in this class I put a function that accepts different actions.
• Add a service that is able to accept the email object (I assign the mailer in the constructor), to this service I added a switch case in the create hook (so that it is callable from the client if you use feathers-client) that listens to actions to execute (I added the same 'actions' as in the mailer object). I use this service to do different checks on the action that we try to execute, if no error is thrown in any of the checks I proceed and call the email function and pass down the action.

To use this functionality, I added a before hook called 'isVerified', in the hook I check that value of the isVerified property on the user model. To make sure you only do this when they try to log in with email and password, add a check for 'context.data.strategy === "local"'.

I hope this is enough to help you further. If not, you can respond here and I'll take some time to put my code in an npm package so that you can use it that way.

[astralmedia]

Sorry to rehash this (hehe) a year later...but I am having trouble figuring out how to get a password reset happening. Currently still on feathers-authentication-management, but not sure about switching to this library as it is still not fully clear how to get that working.

Any insight would be appreciated. Getting the "Token is not in the correct format" error on fam...would love to be able to stick to fam for the short term...does it work still for password resets?

[bartduisters]

@astralmedia I am still using what I described in the steps on Aug 16, 2019, in two projects now. As can be seen in the original post, there is a mismatch in the different steps. I don't think this will change anytime soon given it is now a year later.

If the steps are unclear, let me know, then I'll add in some more detail.

[astralmedia]

Thank you @bartduisters

I was able to get it working finally :)

[bartduisters]

I was able to get it working finally :)

@astralmedia Are you referring to my steps or to the password reset of F-A-M/A-L-M?

[astralmedia]

I meant I got the fam stuff to work following this threads info...the problem was I was doing it by hand grabbing the already hashed token from the DB, thinking it was the token it would look for...anyway, thanks!