[Yanel-dev] Forgot password feature
Guillaume Déflache
guillaume.deflache at wyona.com
Fri Jul 31 19:06:35 CEST 2009
Hi!
Prabodh Upreti schrieb:
> >>IIUC if a successful request (email exists) was done, then for this
> user a file will be created
>
> >>data-repo/data/change-password-requests/USER_ID.xml (whereas the path
> change->>password-requests is configurable)
I am not sure the file-based storage code works, the saving and loading
parts seemed not to match when I reviewed the patch ( cf. "untested" in
http://bugzilla.wyona.com/cgi-bin/bugzilla/show_bug.cgi?id=7164#c2 ).
Did something got lost in the zip-file/merge/review dance?
A simple way of testing that is ask for a password reset from a
non-system default browser (I used Google Chrome), and then click on the
click which normally uses the system-browser (Firefox here), which of
course uses a different session => the file-based storage code gets
triggered: I get an exception with current svn code.
Maybe we should really use a Yarep repo here, e.g. the VFS
implementation (
http://svn.wyona.com/repos/public/yarep/trunk/src/impl/java/org/wyona/yarep/impl/repo/vfs/
) should be able to address Michi's scalability concerns.
> >>with the following content
>
> <?xml version="1.0" encoding="UTF-8"?>
> <user xmlns="http://www.wyona.org/yanel/1.0">
> <email>michael.wechner at wyona.com <mailto:michael.wechner at wyona.com></email>
> <starttime>1248374094694</starttime>
> <guid>f4c9fa73-b10a-4033-a31c-7d0339bd3937</guid>
> </user>
>
> >>How is <starttime> related to the expire date of this request?
>
> Start time was when the request was initiated. The expire time is this
> plus the configured validation hour(i.e 24 hr)
Why not store the expiry date directly? Simpler to check and the delay
may be changed by the administrator in the meantime, so the expiry date
can change, which is weird IMHO... and it also prevents us to display
the expiry date in the message itself, which is more user-friendly IMHO
(think about clicking on expired-token messages and struggling to find a
valid one if you have a slow mail delivery / intermittent online access).
Having it in ISO 8601 format would could help diagnostics too, cf.
http://www.w3.org/QA/Tips/iso-date
> >>What does <guid> stand for? I guess the content is the "reset
> password request id", but if so, >>then why call it like that?
> You are right. I am using multiple names for a single item. I started
> with reset password request id then in the middle thought this was just
> a guid so started using that name. We can chooce whichever is more
> appropriate and use that. I personally like guid.
I for one don't care as long as it's consistently used and documented
somewhere. "guid" is fine IMHO.
> Why save the email instead the user id?
> >> I was looking at this file also for auditing purpose. email is
> really not required there but I thought just in case someone wanted to
> examine the file, it would make more sense then user id.
>
> Re scalability, if we have one million users and many people forget
> their passwords, do we have to parse all these files to find the correct
> "reset password request id"?
>
> >>Good point. If I had a relational db I would not think much about
> this and let the query pick the right record. The db administrator
> would manage the table growth. Here I thought again we would like to
I'd rather have "self-managed data", and we do not want to
unconditionally require a DB for such a "simple" feature I guess.
> save the request for audit purpose. Maybe we could delete the file and
> just write it to a log file that pw was reset. Also the code is
The log file idea is a good idea, we could simply use a dedicated Log4J
logger for that.
> currently going through all the file to check the content and match the
> guid. What I could do is name the file based on the guid and look for
> that file name when the request comes(i.e guid 2234jlkjdjfsd.xml )
Agreed (see above), for debugging/auditing one can always rgrep the
directory.
> [...]
> Please let me know you thoughts and I will make the appropriate changes.
You are most welcome to work on everything here if you fancy it except
maybe the storage stuff which Michi or I will probably try to fix ASAP
anyway.
Cheers,
Guillaume
More information about the Yanel-development
mailing list