Password reset

[christiansmith]

No description provided.

[christiansmith]

The best automated solution for enabling users to regain control of accounts is to e-mail the user a unique, time-limited, unguessable, single-use recovery URL. This e-mail should be sent to the address that the user provided during registration. Visiting the URL allows the user to set a new password. After this has been done, a second e-mail should be sent, indicating that a password change was made. To prevent an attacker from denying service to users by continually requesting password reactivation e-mails, the user’s existing credentials should remain valid until they are changed.

— Chapter 6 Attacking Authentication, The Web Application Hacker's Handbook, Dafydd Stuttard & Marcus Pinto

[adalinesimonian]

So it looks like we need to:

• Add "Forgot password?" link to sign-in view
• Add view where user enters their e-mail
• Add view where user changes their password
• Add view for confirmation screen that password was changed
• Add password reset handler to work with the above views
• Add expiring password reset token
• Rate-limit password reset requests
• E-mail user when request goes through
• E-mail user when password is changed

[adalinesimonian]

Fixed by merging 184c559