Password Reset Expiration Limit

[Justin Noel]

I'm really struggling with expiration limit on the new password resets that are triggered via the console.  They simply expire in too short an interval.  I don't know what the expiration limit is, but it is too short.  Probably 2 or at most 4 hours.

For example, a customer may email me and state that the old password reset system (with a temporary password) did not work - which is happening very frequently now.  About 1 to 2 hours later, I can get to their email and respond that I'll be sending them a new reset email. So, I go into the console and trigger the new reset email.  By this time, the user may not be available to do the reset.  They may be off to lunch or driving home or simply don't have time to drop everything and handle it at that time.  When they finally get around to it, the reset has expired.

Basically, unless I coordinate perfectly with my customer, the reset is almost useless and I frequently have to send a second or third.

Is there any chance of getting this reset expiration extended to 24 hours like the old system provided?

Thanks,

Justin Noel

Kids In Touch

[Alex Memering]

Hey Justin,

Sorry that this is causing you some problems.  I found a bug with how the old auth system was dealing with password resets in some select cases which may have been what you were dealing with.  I got a fix for that deployed towards the end of last week, so if you're still seeing problems then please let me know.

As for the expiry of the new password reset codes, I'm not super familiar with it right now, but let me dig into it a bit and I'll report back.  I believe the intention is that the user will trigger it themselves and go through the steps almost immediately, but obviously there are some use cases where that isn't what is wanted.

Cheers,

Alex

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/215f5fcb-faed-457d-a90f-68d0ca60eba9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Justin Noel]

Alex,

Thanks for getting back to me.  I still have an occasional case where the old password reset process is not working properly based on customer reports.  Customers state that they've copied and pasted the password and it still fails.  However, this does seem to be happening much less than it was for the prior 2 or 3 weeks.

Since my app uses the 2.X JS SDK, the old password reset process is what I use unless they run into trouble.  In the past, I could send them a temp password.  However, the new console doesn't allow that.  So, the only option I have now is with the password reset URL process that is simply too limiting.  It'd be great if y'all could bump it up to at least something like 12 hours.

Thanks,

Justin

[Alex Memering]

Oh, really?  You still have some instances of the password reset email not working?  Do you happen to know if these emails were sent in the day or two?  If so would you mind either reaching out to (just) me or through the Firebase bug reporter with some information about your app (Database URL, platforms you're using...) so that I can try to debug this?

As for the length of the new password reset codes, they are valid for one hour after the email is sent.  I don't believe that this is something that is likely to change (the short period of time is for security reasons more than anything else).  You can still send the old password reset emails yourself (but not through the console at console.firebase.google.com), for testing purposes I've been sending several to myself using the Javascript REPL that is built into my browser.

Sorry that I can't change the length for you but hopefully the alternatives are okay,

Alex

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/1fb77dd2-5ed8-46f6-b9af-981053f80ac1%40googlegroups.com.

[Justin Noel]

Alex,

Can you clarify on sending the old password reset emails via the "REPL" in the browser?  I don't think I understand what that means.  Do you mean just using the JS SDK to trigger a password reset via the old method on the behalf of my customer instead of having them do it?  Or are you talking about something more formal?

Thanks,

Justin

[Alex Memering]

Sorry, I should have been more explicit.  I typically use the developer tools JavaScript console that is built in (I use Chrome but I know that most other browsers also have an equivalent) and use the 2.x JS SDKs.  You're correct you can trigger the reset email using the old method (which will send the old format of the reset password email), which is exactly what I was referring to.

Sorry for the confusion,

Alex

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/3a3877d8-42b0-41c6-8d4a-216e660e4cd4%40googlegroups.com.