Hirevo/alexandrie

with forget the password,how to change use password?

baoyachi opened this issue · 1 comments

baoyachi commented
with forget the password,how to change use password?
Hirevo commented

Sorry for the delayed response.

Alexandrie doesn't yet have any routes in either its frontend or its programmatic API to recover a lost password.
The reason for this is because I don't know how to do it in a way that easily works for most people.
Recovering lost passwords would require Alexandrie to ask for proof of ownership of the email address, which is commonly done by sending an email with a link to a password reset page.
Sending email in a way that the sender can be verified and that it doesn't land in spams can be quite tricky, so I am not sure yet what's the way forward here.

But if you have access to the Alexandrie's database, you can reset the password by hand:
The way Alexandrie computes the value that ends up stored in users.passwd in the database is fully documented in a blog post I wrote.

I've wrote a little JS script for you that performs these computations in exactly the same way as Alexandrie does.

But first, you need the random salt associated with the targeted user, that you can get by running the following in your database:

-- Replace the {email} placeholder by the user's email address.
SELECT salts.salt FROM authors JOIN salts ON authors.id = salts.author_id WHERE authors.email = '{email}'
import crypto from 'crypto';

// Replace the {email} placeholder by the user's email address.
const EMAIL = Buffer.from('{email}', 'utf-8');

// Replace the {password} placeholder by the new password you wish to set.
const PASSWORD = Buffer.from('{password}', 'utf-8');

// Replace the {salt_from_database} placeholder by the salt you got from the previous command.
const SALT = Buffer.from('{salt_from_database}', 'hex');

const KEY_LENGTH = 64;

const client_key = crypto.pbkdf2Sync(PASSWORD, EMAIL, 5_000, KEY_LENGTH, 'sha512');
const server_key = crypto.pbkdf2Sync(client_key, SALT, 100_000, KEY_LENGTH, 'sha512');

console.log(server_key.toString('hex'));

After having run this script and copied its output, you can update the database by doing:

-- Replace the {email} placeholder by the user's email.
-- Replace the {output_from_script} placeholder by the output you got from the script.
UPDATE authors SET passwd = '{output_from_script}' WHERE email = '{email}';

And that's it, you should be good to go after this !