Passwordless | Passcodes for reset password - non-ACTIVE users #2902
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
coldlink
changed the title
coldlink
force-pushed
the
mm/passcodes-non-active-reset
branch
from
d8bf54e
to
79761df
Compare
coldlink
requested review from
guardian-ci
and removed request for
guardian-ci
coldlink
force-pushed
the
mm/passcodes-non-active-reset
branch
from
79761df
to
1981654
Compare
coldlink
requested review from
guardian-ci
and removed request for
guardian-ci
pvighi
previously approved these changes
Sep 18, 2024
coldlink
force-pushed
the
mm/passcodes-active-password-only
branch
from
234d6e2
to
b63b345
Compare
coldlink
force-pushed
the
mm/passcodes-non-active-reset
branch
from
1981654
to
a647276
Compare
For users in a non-ACTIVE state, we should first get them into one of the ACTIVE states in order to send them an email which allows them to reset their password with a passcode. The best way to do this is to first deactivate the user, which works on all user states and puts them into the DEPROVISIONED state. Then we can activate the user, which will put them into the PROVISIONED state and return us a recovery token. We then use the recovery token to set a placeholder password for the user, which transitions them into the ACTIVE state and then we can call `changePasswordEmailIdx` method again to send the user a passcode as they'll be in one of the ACTIVE states
coldlink
force-pushed
the
mm/passcodes-non-active-reset
branch
from
a647276
to
443ebe1
Compare
pvighi
previously approved these changes
Sep 19, 2024
AshCorr
reviewed
Sep 19, 2024
src/server/lib/okta/validateEmail.ts
Outdated
| export const validateEmailAndPasswordSetSecurely = async ({ | ||
| id, | ||
| ip, | ||
| unsetFlags = false, |
There was a problem hiding this comment.
Suggested change
| unsetFlags = false, | |
| setFlags = true, |
Perhaps just default to true and avoid the negation on line 30, I find it a little bit confusing 😅
There was a problem hiding this comment.
Yeah that's a good point! I'll see what I can conjure up.
There was a problem hiding this comment.
Updated it to flagStatus instead, which makes more sense than "set"/"unset"!
…lly set flags to false
coldlink
force-pushed
the
mm/passcodes-non-active-reset
branch
from
443ebe1
to
385128c
Compare
AshCorr
approved these changes
Sep 19, 2024
1 task
coldlink
added
the
passwordless
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change?
In #2852 we implemented passcodes for reset password for some "ACTIVE" users. Namely the ones with both the "password" and "email" authenticator, and users with just the "email" authenticator.
In #2889 we implemented passcode for reset password for the remaining active users, i.e the ones with only the "password" authenticator.
This PR adds the ability for all except non-existent users to reset their passcodes using passwords.
For users in a non-
ACTIVEstate, we should first get them into one of theACTIVEstates in order to send them an email which allows them to reset their password with a passcode.The best way to do this is to first
deactivatethe user, which works on all user states and puts them into theDEPROVISIONEDstate.Then we can activate the user, which will put them into the
PROVISIONEDstate and return us a recovery token.We then use the recovery token to set a placeholder password for the user, which transitions them into the
ACTIVEstate and then we can callchangePasswordEmailIdxmethod again to send the user a passcode as they'll be in one of theACTIVEstates, namely the one with the "email" and "password" authenticator, or the one with only the "password" authenticator.From there the existing functionality for
ACTIVEusers takes over and we send the users a passcode!We also modify the
validateEmailAndPasswordSetSecurelymethod to do the exact reverse depending on a flag. TheflagStatusparameter was added in to set these flagsemailValidatedandpasswordSetSecurelytofalseifflagStatusis provided asfalse.flagStatusdefaults totrueto retain existing behaviour.A whole lotta cypress tests are included to make sure this functionality works.
Tested