How do I display users partially masked email address for confirmation on Forgotten Password screen?

[alin...@waubonsee.edu]

We're in the process of implementing pwm for our school. I was asked to add a partially masked copy of the email address that would be emailed with the Forgotten Password reset email, after they submit their user id.

The idea is that they know what email address to check, because they can have multiple addresses in our system. However, for security reasons, we don't want to provide the full email address. Just enough that they know which one. For example: mel*********@gm*******

I'm able to do this via javascript in the text configuration, using the %1% token to retrieve the email. However, a determined abuser could grab the value of the email string before javascript modifies it.

Is there a way to get the email address of the user on the server side, and mask it before it's rendered on the screen?

Thanks.

[Jason Rivard]

The latest nightly has an outbound REST api for manipulating the token destination value and the token destination display value for exactly this purpose.  You will have to write a web service to use it however.

[alin...@waubonsee.edu]

Thanks Jason. I'll check that out. In the meantime, I wrote some javascript that removes the full email address after manipulating it and adding it to the html. I used some obfuscation to make the javascript very hard to read. It never shows the full email anywhere in the html, and is only present in the javascript for a split second. This is as good as it will get without using the REST api. Chances are, nobody will even know that the full email has ever been passed.

We're using a 3rd party tool that uses PWM. So, I'm not even sure they use the lastest version. Probably not. But, I appreciate the response. I will look into it.