bountysource/core

Improve forgot/reset password usability

timfeirg opened this issue · 8 comments

I forgot my password and I can't find a forget your passowrd? anywhere on the login page

rappo commented

@timfeirg The "Forgot" link will show up after you put in a recognized email address in the email field. I find this UX to be confusing and would like it to be improved, so I'll leave this ticket open until we can get that fixed.

Ideally the "Forgot password?" link should be visible at all times and prompt you to put in your email if the field is blank.

@rappo I learned after posting this issue that, bountysource and salt.bountysource is two different websites using the same user account system, and the webpage I didn't find forgot password on is https://salt.bountysource.com/login, there's nothing wrong with https://www.bountysource.com/ in my opinion

rappo commented

@timfeirg Oh, the lack of a Forgot Password on Salt is an even bigger problem and I wasn't aware of that. I think both issues should be addressed, since password reset requests sometimes go to support@bountysource.com or IRC because it's not obvious. Both changes would cut down on that.

rappo commented

Adding a bounty that should cover:

  • Password reset link visible at all times
  • Add pw reset to Salt login
  • profile feedback when password reset has been activated

Works though my error messages are too terse.

Doesn't seem ideal that the reset link in the email is to the www.bountysource domain no matter whether the reset was requested from bountysource or salt. Could be fixed by adding a signin/reset page to salt or share the existing reset page by adding a 'redirect' parameter to the reset link?

Will leave a PR until after feedback.

@rappo Does this issue still have a bounty?

Hi @sivaraam - yes this (and the other issue you commented on) still have bounties associated with them. To check you can paste issues URLs into the search box on bountysource.com

How about the OWASP guidelines for a forgot password service? I don't think we're being compliant here given that it is first checking if the provided e-mail exists, which I don't think of as a vulnerability.

https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

Return a consistent message for both existent and non-existent accounts.

Dunno if that fits into scope or if bounty should be increased. I am taking interest in this, however.