When resetting a password, there is an option to create a new token without sending a password reset email. When/how would this be used?
1 Like
And one more thing - do tokens last forever or are they set to expire at any point?
I would also like to know more about tokens. What they are for and how they can be used
So, when you send a reset password email, there’s a link that looks like http://yourdomain.com/reset_pw?reset=[LONG_ID]
The token is just the LONG_ID part of that link. You can then later manually recreate that link at a later point in time, and do the password reset then.
Tokens can only be used once. At the moment they do not expire although we may change that in the future.
The reason we have this feature is to add some flexibility… for instance, maybe you want an administrator to create an account for someone else, and then email them from their personal accounts, rather than having the user get a system generated email.
Currently reset tokens can only be used on the reset_pw page by adding them to the url with a ?reset=TOKEN . Down the line we may let them be used on other pages.
1 Like
I don’t get the point. The token has to come from somewhere to be linked to the user. Right…
Is the token you speak about the one we can get in Worflows : Account > Send password reset email > Option checked : Just make token, don’t send email. Isn’t it ?
Yes, that’s right. The thing that ties it to the user is the email address you enter (even if you don’t send the email). If you create a token for an email, you’re responsible for making sure you don’t give it to someone who doesn’t own that email!
Re: token expiration – we’re going to update this to 24 hours (since it’s not secure to let old tokens hang around forever). Probably going to release that change in the next week or two.
@josh getting back to this subject… I see I can just create the token and dont send an email… but where can I find the token to use it after? I see that I have this flexibility, but how to find the token to send it manually to the client?
You can use the “result of previous step” data source in subsequent actions.
We actually recently made changes to this action to make it more secure, namely:
a) The “result of previous step” won’t be available unless the “don’t send an email” box is checked
b) We never send the result of previous step for this action to the web browser, so if you try to show it in an alert, for instance, it will show up blank. It will be available in server side actions such as send emails.
Note that you should be extremely careful building workflows that create a token when the person running the workflow is not an administrator. If you save the token to the database, for instance, it’s possible for the user who is running the workflow to see it. Basically, you should either:
-Immediately send the token to the user who’s account it is, and don’t store it anywhere
-Or, only store it if an administrator who is allowed to reset the password for this user is running a workflow, in which case you should double-check the privacy rules for the field you store it in to make sure random users can’t see the token.
1 Like
Hey @josh, you mentioned on the thread above that the token used to only be usable with the reset_pw page. Is this token now usable on other pages?
My team doesn’t really like the */reset_pw uri, so we created our own page at */reset to accomplish the same functionality.
Also, something that threw me off is that typically, when using values from previous steps in a workflow, you access a value X by saying “Use Step 1’s result’s X”. However, when referencing the “Send reset email, but don’t send email and only create token” step of my workflow, “result” appears not to be an object that I can access into to obtain a “token”. Is the result itself the token?