Implement Password Reset in Node.js
6,112 views
Skip to first unread message
Feras Odeh
May 13, 2012, 7:46:13 AM5/13/12
to nod...@googlegroups.com
How could I implement password reset in Node.js, express.js and Mongodb? I want to send user an email with password reset link which is valid for one hour or two. Is there any existing library that supports this? How could I implement it?
Thanks,
Feras
Srirangan
May 13, 2012, 8:28:48 AM5/13/12
to nod...@googlegroups.com
Persist a reset key in your database along with a timestamp.
Create a route accepting the reset key and new password.
Verify the reset key's timestamp when applying the new password to the user.
- Sri
Srirangan | +91 9711 477 595 | About GitHub LinkedIn Twitter | Review19 "Collaborate & Track Decisions"
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
Duncan Gmail
May 13, 2012, 9:10:18 AM5/13/12
to nod...@googlegroups.com
Feras,
Do you have login/user side already built? Did you build it yourself?
Are you using mongoose for your MongoDB?
Srirangan suggestion is what I'd do. If your6're not sure, and want some help stick your code on GitHub - and I can give you a hand.
-MRdNk
Feras Odeh
May 13, 2012, 11:44:30 AM5/13/12
to nod...@googlegroups.com
mrdnk,
I used passport for login and authentication. I'm using mongoose for MongoDB. Guys is there any sample that implement password reset out there?
Thanks,
Feras
On Sunday, May 13, 2012 4:10:18 PM UTC+3, mrdnk wrote:
I used passport for login and authentication. I'm using mongoose for MongoDB. Guys is there any sample that implement password reset out there?
Thanks,
Feras
On Sunday, May 13, 2012 4:10:18 PM UTC+3, mrdnk wrote:
Feras,Do you have login/user side already built? Did you build it yourself?Are you using mongoose for your MongoDB?Srirangan suggestion is what I'd do. If your6're not sure, and want some help stick your code on GitHub - and I can give you a hand.
-MRdNk
On 13 May 2012, at 13:28, Srirangan wrote:
Persist a reset key in your database along with a timestamp.Create a route accepting the reset key and new password.Verify the reset key's timestamp when applying the new password to the user.- Sri
Srirangan | +91 9711 477 595 | About GitHub LinkedIn Twitter | Review19 "Collaborate & Track Decisions"
On Sun, May 13, 2012 at 5:16 PM, Feras Odeh wrote:
How could I implement password reset in Node.js, express.js and Mongodb? I want to send user an email with password reset link which is valid for one hour or two. Is there any existing library that supports this? How could I implement it?
Thanks,
Feras
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
Matthew Hazlett
May 13, 2012, 12:02:23 PM5/13/12
to nod...@googlegroups.com
if you use passport then they need to use passport to change their
password.
Anyway I think passport became Windows Live ID.
Anyway I think passport became Windows Live ID.
Martin Wawrusch
May 13, 2012, 12:04:02 PM5/13/12
to nod...@googlegroups.com
Feras Odeh
May 13, 2012, 1:11:09 PM5/13/12
to nod...@googlegroups.com
yes Matthew I meant passportjs.org.
On Sunday, May 13, 2012 7:04:02 PM UTC+3, Martin Wawrusch wrote:
On Sunday, May 13, 2012 7:04:02 PM UTC+3, Martin Wawrusch wrote:
passportjs.org
not that dreaded Microsoft thingy from around 2000
Marcos Oliveira
May 13, 2012, 6:57:40 PM5/13/12
to nod...@googlegroups.com
Look here: https://github.com/nodester/nodester/blob/master/lib/reset_password.js
for the reset password logic and here:
https://github.com/nodester/nodester/blob/master/scripts/mailer.js for
the mailer.
It uses CouchDB besides that it's similar to what you need.
-- Marcos
>>> nodejs+un...@googlegroups.com
for the reset password logic and here:
https://github.com/nodester/nodester/blob/master/scripts/mailer.js for
the mailer.
It uses CouchDB besides that it's similar to what you need.
-- Marcos
>>> For more options, visit this group at
>>> http://groups.google.com/group/nodejs?hl=en?hl=en
>>
>>
>> --
>> Job Board: http://jobs.nodejs.org/
>> Posting guidelines:
>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
>> You received this message because you are subscribed to the Google
>> Groups "nodejs" group.
>> To post to this group, send email to nod...@googlegroups.com
>> To unsubscribe from this group, send email to
>> nodejs+un...@googlegroups.com
>>> http://groups.google.com/group/nodejs?hl=en?hl=en
>>
>>
>> --
>> Job Board: http://jobs.nodejs.org/
>> Posting guidelines:
>> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
>> You received this message because you are subscribed to the Google
>> Groups "nodejs" group.
>> To post to this group, send email to nod...@googlegroups.com
>> To unsubscribe from this group, send email to
>> For more options, visit this group at
>> http://groups.google.com/group/nodejs?hl=en?hl=en
>
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+un...@googlegroups.com
>> http://groups.google.com/group/nodejs?hl=en?hl=en
>
> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
john.tiger
May 13, 2012, 8:57:31 PM5/13/12
to nod...@googlegroups.com
is there a "standard" node login/auth module that does all the "normal"
needed stuff:
register a user - send confirmation email
authenticate the login (username/email + salted/hashed password)
validate/escape, ....
authorize some role / user info into a cookie
allow password reset
send forgotten email
(did I forget anything basic ?)
then maybe another separate module that uses facebook/google/...
(external) login
if not, it's really time that everyone rallies behind one. it seems so
redundant / unproductive / time-wasting for everyone to keep writing
this same stuff for every application - it's really a case that a
"standard login" source module would suffice for 99% of the time and any
"customization" (ie db or extra register fields) could be easily done
shoving the source into an application lib and simply modifying it.
then, there could be a separate module for using facebook/google/....
(external) login service
>>> Review19 "Collaborate& Track Decisions"
needed stuff:
register a user - send confirmation email
authenticate the login (username/email + salted/hashed password)
validate/escape, ....
authorize some role / user info into a cookie
allow password reset
send forgotten email
(did I forget anything basic ?)
then maybe another separate module that uses facebook/google/...
(external) login
if not, it's really time that everyone rallies behind one. it seems so
redundant / unproductive / time-wasting for everyone to keep writing
this same stuff for every application - it's really a case that a
"standard login" source module would suffice for 99% of the time and any
"customization" (ie db or extra register fields) could be easily done
shoving the source into an application lib and simply modifying it.
then, there could be a separate module for using facebook/google/....
(external) login service
substack
May 14, 2012, 12:59:10 AM5/14/12
to nod...@googlegroups.com
I've wrote a module to do this:
https://github.com/substack/node-password-reset
It's not tied to any particular database, it just persists the records in memory. You could save the data to a database pretty easily though.
It's not tied to any particular database, it just persists the records in memory. You could save the data to a database pretty easily though.
Duncan Gmail
May 14, 2012, 3:39:19 AM5/14/12
to nod...@googlegroups.com
Trust substack to have already written something.
On the subject of rallying around a default user management - that really the job of a framework, rather than node.
The node community is much more about rolling your own as much as possible and/or having a variety of implementations available - no one best way ethos.
We don't all use the same database, there are a variety of frameworks - and everyone has different requirements.
Express comes with session management middleware, just add some user management and your done, or use substacks module.
- MRdNK
--
deitch
May 14, 2012, 3:49:17 AM5/14/12
to nodejs
I built something on top of cansecurity, but it was, as @Duncan said,
roll-your-own. I, too, wish there were something standard.
On May 14, 10:39 am, Duncan Gmail <duncananguswil...@gmail.com> wrote:
> Trust substack to have already written something.
>
> On the subject of rallying around a default user management - that really the job of a framework, rather than node.
>
> The node community is much more about rolling your own as much as possible and/or having a variety of implementations available - no one best way ethos.
>
> We don't all use the same database, there are a variety of frameworks - and everyone has different requirements.
>
> Express comes with session management middleware, just add some user management and your done, or use substacks module.
>
> - MRdNK
>
roll-your-own. I, too, wish there were something standard.
On May 14, 10:39 am, Duncan Gmail <duncananguswil...@gmail.com> wrote:
> Trust substack to have already written something.
>
> On the subject of rallying around a default user management - that really the job of a framework, rather than node.
>
> The node community is much more about rolling your own as much as possible and/or having a variety of implementations available - no one best way ethos.
>
> We don't all use the same database, there are a variety of frameworks - and everyone has different requirements.
>
> Express comes with session management middleware, just add some user management and your done, or use substacks module.
>
> - MRdNK
>
Tauren Mills
Oct 20, 2012, 4:58:49 PM10/20/12
to nod...@googlegroups.com
We've written a password reset module that might help:
It was built in a way that is completely agnostic to the user's choice of database, web framework, auth framework, mailer, email templating, etc. The reset token expiration is configurable and you supply your own callbacks for userLookup, setPassword, sendEmail, etc.
It includes thorough documentation including example usage showing it being used with Express and Handlebars (for email template). There are also buster.js tests included.
Check it out and see if it might help. I'd certainly be interested in any improvement suggestions.
Tauren
On Tue, Oct 16, 2012 at 3:33 PM, Rory Madden <rorym...@gmail.com> wrote:
Hi JOhnoI am searching for a similar "standard" login/auth module. Did you ever find one / build your own? If you could share the code that you used I, and I'm sure other people looking for something similar, would really appreciate it.Thanks,Rory
Ryan Schmidt
Oct 21, 2012, 2:16:31 PM10/21/12
to nod...@googlegroups.com
On Oct 20, 2012, at 15:58, Tauren Mills wrote:
> We've written a password reset module that might help:
> https://github.com/SportZing/node-pass-reset
> https://npmjs.org/package/pass-reset
>
> It was built in a way that is completely agnostic to the user's choice of database, web framework, auth framework, mailer, email templating, etc. The reset token expiration is configurable and you supply your own callbacks for userLookup, setPassword, sendEmail, etc.
>
> It includes thorough documentation including example usage showing it being used with Express and Handlebars (for email template). There are also buster.js tests included.
>
> Check it out and see if it might help. I'd certainly be interested in any improvement suggestions.
The readme doesn't mention, but it seems to store the reset tokens in memory? If I want to use cluster or multiple servers then I'll need to persist them. It seems to be designed so that I can just replace passReset._storage with my own implementation? Could you add an example of that?
Tauren Mills
Oct 21, 2012, 7:19:59 PM10/21/12
to nod...@googlegroups.com
You make an excellent observation. Token storage should be configurable as well and not only support in-memory storage. We've just pushed an update that should allow this to happen. Here's an example using redis:
Note that this latest update hasn't been thoroughly tested yet. If you find any issues, please let me know or submit a pull request.
I'm interested to know if the module works out for you, as well as any other features it is lacking.
Tauren
Tauren Mills
Oct 23, 2012, 2:13:07 AM10/23/12
to nod...@googlegroups.com
Ryan,
Tauren
I just published pass-...@0.1.0-2 to npm. This release contains a critical bug fix. Please update.
Tauren
Ryan Schmidt
Nov 18, 2012, 9:28:49 PM11/18/12
to nod...@googlegroups.com
On Oct 20, 2012, at 15:58, Tauren Mills <tau...@tauren.com> wrote:
> We've written a password reset module that might help:
> https://github.com/SportZing/node-pass-reset
> https://npmjs.org/package/pass-reset
Tauren Mills
Nov 20, 2012, 5:54:39 AM11/20/12
to nod...@googlegroups.com
The pass-reset module was developed to support our use cases:
1. User enters a username such as "tomsmith". Only one user may have this username, so the email that is sent includes only a single code.
2. User enters an email address. Our service allows multiple users to be created with the same email address. The email sent will need to list all of the users with that email address and a reset code for each of them.
It sounds like a configuration option might be desirable for pass-reset to support single user vs multi-user modes. Would this make it easier to use in a system that doesn't allow multiple users with the same email address?
Thanks for the feedback,
Tauren
Ryan Schmidt
Nov 20, 2012, 7:20:39 PM11/20/12
to nod...@googlegroups.com
On Nov 20, 2012, at 04:54, Tauren Mills <tau...@tauren.com> wrote:
> The pass-reset module was developed to support our use cases:
>
> 1. User enters a username such as "tomsmith". Only one user may have this username, so the email that is sent includes only a single code.
>
> 2. User enters an email address. Our service allows multiple users to be created with the same email address. The email sent will need to list all of the users with that email address and a reset code for each of them.
> It sounds like a configuration option might be desirable for pass-reset to support single user vs multi-user modes. Would this make it easier to use in a system that doesn't allow multiple users with the same email address?
I was able to simplify my email templates by only passing them resets[0], which seems simple enough to me.
Reply all
Reply to author
Forward
0 new messages