-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passwordless | Passcodes for reset password - non-ACTIVE users #2902
Conversation
d8bf54e
to
79761df
Compare
79761df
to
1981654
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice test coverage for all the cases!
234d6e2
to
b63b345
Compare
1981654
to
a647276
Compare
For users in a non-ACTIVE state, we should first get them into one of the ACTIVE states in order to send them an email which allows them to reset their password with a passcode. The best way to do this is to first deactivate the user, which works on all user states and puts them into the DEPROVISIONED state. Then we can activate the user, which will put them into the PROVISIONED state and return us a recovery token. We then use the recovery token to set a placeholder password for the user, which transitions them into the ACTIVE state and then we can call `changePasswordEmailIdx` method again to send the user a passcode as they'll be in one of the ACTIVE states
a647276
to
443ebe1
Compare
src/server/lib/okta/validateEmail.ts
Outdated
export const validateEmailAndPasswordSetSecurely = async ({ | ||
id, | ||
ip, | ||
unsetFlags = false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unsetFlags = false, | |
setFlags = true, |
Perhaps just default to true and avoid the negation on line 30, I find it a little bit confusing 😅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that's a good point! I'll see what I can conjure up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated it to flagStatus
instead, which makes more sense than "set"/"unset"!
…lly set flags to false
443ebe1
to
385128c
Compare
What does this change?
In #2852 we implemented passcodes for reset password for some "ACTIVE" users. Namely the ones with both the "password" and "email" authenticator, and users with just the "email" authenticator.
In #2889 we implemented passcode for reset password for the remaining active users, i.e the ones with only the "password" authenticator.
This PR adds the ability for all except non-existent users to reset their passcodes using passwords.
For users in a non-
ACTIVE
state, we should first get them into one of theACTIVE
states in order to send them an email which allows them to reset their password with a passcode.The best way to do this is to first
deactivate
the user, which works on all user states and puts them into theDEPROVISIONED
state.Then we can activate the user, which will put them into the
PROVISIONED
state and return us a recovery token.We then use the recovery token to set a placeholder password for the user, which transitions them into the
ACTIVE
state and then we can callchangePasswordEmailIdx
method again to send the user a passcode as they'll be in one of theACTIVE
states, namely the one with the "email" and "password" authenticator, or the one with only the "password" authenticator.From there the existing functionality for
ACTIVE
users takes over and we send the users a passcode!We also modify the
validateEmailAndPasswordSetSecurely
method to do the exact reverse depending on a flag. TheflagStatus
parameter was added in to set these flagsemailValidated
andpasswordSetSecurely
tofalse
ifflagStatus
is provided asfalse
.flagStatus
defaults totrue
to retain existing behaviour.A whole lotta cypress tests are included to make sure this functionality works.
Tested