[Feature Request] Admin triggered password resets?


DeathKitten Thu May 05, 2016 5:45 pm

[Feature Request] Admin triggered password resets?

Recently, I installed a certificate on my game's Nova, and when I told my players about it I requested they change their password after I disabled http connections, forwarding them to https instead. I have no idea if they followed my advice, but I would have appreciated the ability to have Nova prompt them to change their password the next time they logged in.

Any chance something could be added to the new version to do this?
Captain Amelia Waterhouse of the USS Joshua Norton, a Clandestine Operations sim.

Come chat with us on Discord! discord.gg/3bUmudQ
User avatar

Posts: 55


AgentPhoenix Wed May 11, 2016 3:06 pm

Re: [Feature Request] Admin triggered password resets?

I haven't been ignoring this, just brainstorming and the more I think about it, the more gotchas seem to come up. I'm not saying no (though not saying yes at this point either), but here are some of the things that have come up thinking about this sort of feature:

  • Nova NextGen doesn't use a "homegrown" password reset system (like Nova 2). Instead we use Laravel's system, so we don't have a lot of control over changing things related to password resets.
  • With Laravel's system, when a password reset is initiated, a token is assigned (in a separate database table) that expires 60 minutes later. You run into a situation where, unless everyone is at their computer, the tokens could expire before someone does anything with it.
  • There are safeguards in the Laravel system in the event a password reset is initiated by someone other than the user. If you get an email with a reset link and it wasn't you who initiated it, simply logging in with your existing password kills the reset request and removes the token.
  • When you log in to Nova NextGen, it always remembers you for next time, so depending on server setup, it would be weeks before someone is prompted to log back in. That means you're talking about clearing the sessions table plus clearing the remember token in every user record which would actually automatically log everyone out, including the person initiating the system wide reset. The catch there is that by doing that, it might actually not complete the reset process.
  • What if someone is working on a story entry and you initiate the reset? Boom, work lost.
  • Say that 10 of your 12 users have reset their passwords, by initiating a system-wide reset like that, you'd be forcing everyone to update their password again
  • What about inactive users? If someone comes back, they've still got their old password hashed in the database, but you don't want to be sending inactive users emails because they're, well, inactive.
As you can see, there are a lot of factors that need to be taken into account.

Currently I'm doing a bunch of clean up work on NextGen before I dive into the user system, so I'll keep thinking about it.
User avatar

Posts: 7535


DeathKitten Wed May 11, 2016 11:14 pm

Re: [Feature Request] Admin triggered password resets?

Honestly, if you're using Laravel's password system, it sounds like I should be climbing up the food chain and asking someone in their development team for this feature request. Something like this should be respectful of active sessions, saving whatever the user was involved in before prompting the reset, it shouldn't function like the normal password reset that's triggered by the user. All I want is something that prompts the user to change their password the next time they're active within the system.

I may just have to hope that people who are playing Starfleet Intelligence Officers understand why password best practices are what they are, and respect my request for a password reset. I do appreciate you thinking about if there might be a way to do it though.

Edit to add: To address your comment about 'what if 10 of 12 users have reset their password', in a best case scenario, I would also be able to see when the last time the password was changed was, and elect to opt out people who've made the change since whatever cut off I'm looking for (i.e. when the certificate was installed, and the .htaccess file was put into place that forced https only connections). I also recognize this is even more work than just triggering a forced reset for everyone, so it's probably a pie in the sky dream.
Captain Amelia Waterhouse of the USS Joshua Norton, a Clandestine Operations sim.

Come chat with us on Discord! discord.gg/3bUmudQ
User avatar

Posts: 55


AgentPhoenix Thu May 12, 2016 7:01 am

Re: [Feature Request] Admin triggered password resets?

I can tell you with near absolute certainty that Taylor won't add it to Laravel. He gets hundreds of feature requests and is incredibly picky about what gets added to the framework. Odds are you'd be told it's too specific and you should build it yourself or that you should submit a pull request for the feature, so you'd end up having to build the whole thing yourself anyway.

My guess is that the only way to really accomplish this with any control is to not make it a blanket reset, but to offer a button to certain admins on a user's account page to force the reset. It's not terribly efficient (for a variety of reasons), but it would basically allow you to target individuals to reset their passwords.
User avatar

Posts: 7535


DeathKitten Sun May 15, 2016 9:53 pm

Re: [Feature Request] Admin triggered password resets?

I guess that makes sense. If I had more time, I'd have to learn how to do this stuff myself... but as it is, I haven't even had time to reinstall my preview install of Nova NextGen because I did something wrong with the email config, and forgot the admin account password. >.<

Not to mention, attempting to write any code, even fluffy weight stuff like html and css, is just a blast on a keyboard with two keys not working consistently (i and q). If it weren't for spell check built into nearly everything these days, my communications would be nearly undecipherable.

To be honest, this feature sounds like it'll be more of a pain than it's worth. I keep my users permissions pretty locked down (seen too many rage quits in my years of simming, I assume all players are capable of a blow out), so it's usually only the admin/gm accounts that can do any real damage. If I have admins/gms who won't do a password reset when I ask them to, they probably should be finding hosting elsewhere anyways.
Captain Amelia Waterhouse of the USS Joshua Norton, a Clandestine Operations sim.

Come chat with us on Discord! discord.gg/3bUmudQ
User avatar

Posts: 55


AgentPhoenix Sun May 15, 2016 9:58 pm

Re: [Feature Request] Admin triggered password resets?

So are you talking more specifically about being a GM and forcing everyone your game to reset their password or are you talking about being a server admin and forcing everyone on the 5 games you host to reset their passwords?
User avatar

Posts: 7535


AgentPhoenix Sun May 15, 2016 10:07 pm

Re: [Feature Request] Admin triggered password resets?

Also, "pro tip": create a file called .env in the root of your Nova NextGen installation and put the following content into the file:

Code: Select all
APP_ENV=local
APP_DEBUG=true

Now, when you install Nova NextGen, you'll be shown an option during email config to use logging for emails which will put the email into the log files. That way you don't need to worry about having a proper email system set up while you're playing around with NexGen.
User avatar

Posts: 7535


DeathKitten Sun May 15, 2016 11:39 pm

Re: [Feature Request] Admin triggered password resets?

Nearly every Nova I've played on, I've found myself as an admin, either because I was pulled into the command team because I wasn't afraid to muck around and get things done, and/or because I was hosting the game in the first place. So my perspective on admin vs. GM is certainly blurred. As I mentioned above, the thing that prompted me to want this feature was because I'd installed a Let's Encrypt cert on the site, and wanted to make sure people weren't still using their old password that had been being passed over an unencrypted connection before, knowing that some people use public wifi, work networks, etc to connect to the Nova. That's probably more of an admin thing vs. a GM thing, I guess.

While that trick to not need an email system is cool, I want to specifically test the email config. I created a nova specific account on my hosting for the smtp, and want to iron all the bugs out with that too. Dreamhost has been having some issues wth email lately anyways, so it certainly doesn't hurt to make sure their system will work with what Nova needs.

And a testament to how scattered I am right now? I had saved the password for my preview install in a text file on my external hard drive and forgot until I decided to check before messing around with wiping and reinstalling. >.< And I've been meaning to jump on your IRC channel, but my friend who runs the bouncer I use for IRC hasn't authorized me for a second network last I looked. I need to see if she's done that yet.
Captain Amelia Waterhouse of the USS Joshua Norton, a Clandestine Operations sim.

Come chat with us on Discord! discord.gg/3bUmudQ
User avatar

Posts: 55


AgentPhoenix Mon May 16, 2016 6:47 am

Re: [Feature Request] Admin triggered password resets?

SMTP through your host is fine, but you could likely run into some of the same issues people are having now. Third-party services are definitely the better way to go. Both SendGrid and SparkPost offer low config, high sending free accounts that you might want to look at. In the future, I'll have a post on Medium describing that stuff and what I recommend for NextGen.

I'm in the channel most evening, so just buzz me if you're around!
User avatar

Posts: 7535


DeathKitten Thu May 19, 2016 3:50 pm

Re: [Feature Request] Admin triggered password resets?

I thought most of the spam filter issues have been if the from address is set as a different server than the host/smtp server? If I have a dedicated Nova address that's the return address, and that's the same email account that's accessing the smtp, that shouldn't have this problem, right?

I hate using free third party services because when they go down, I have no recourse. I'm paying for my Dreamhost plan, which means I have recourse if it goes down.
Captain Amelia Waterhouse of the USS Joshua Norton, a Clandestine Operations sim.

Come chat with us on Discord! discord.gg/3bUmudQ
User avatar

Posts: 55


AgentPhoenix Fri May 20, 2016 7:04 am

Re: [Feature Request] Admin triggered password resets?

Not always.

  • Some hosts have their servers configured to lock down some of the email stuff just to get ahead of potential spam.
  • Some email providers blacklist hosts or servers if they're getting a lot of spam from that server/host. Some even block all hosts until you go through a form to allow email from that server/host (though not any of the big email providers as far as I know).
  • Some email providers look at both the FROM and REPLY-TO headers. Even if your FROM header is right, a REPLY-TO header that's not from the same email address or from an email address on the server could end up getting it marked as spam
There are a lot of different factors that I've seen when using PHP's mail. (I've never messed around with my host's SMTP stuff because I believe they have some limitations around using it and I know a bunch of hosts have similar limitations with their built-in SMTP stuff as well.)

I use Mailgun for all of Anodyne's stuff and have yet to see a problem or the service to go down. With these "free" services, there's always a paid option, so even if you're using the free side of it, there are still lots of people paying for it. It's not like it's a 100% free operation. It's certainly worth checking them out during NextGen testing because they do afford a lot more features than just sending email including open rates, click tracking, and deliverability stats.
User avatar

Posts: 7535


DeathKitten Fri May 20, 2016 8:07 pm

Re: [Feature Request] Admin triggered password resets?

I've only had one issue with spam blocking on Nova 2 with my current game, and that was with an ISP provided email and it was intermittent. After I asked the player to contact their ISP, *and* contacted Dreamhost about it, I haven't heard any further reports of issues. The issue I had with the current test install was I'd just set the wrong port number. Once I switched that, everything works like a dream. ^_^

I am very glad you are exploring options to resolve the issue for people who either don't have access to send through their hosting, or are having issues with email providers marking them as spam, but right now my options aren't broke, so I'm happy to keep it all in house.
Captain Amelia Waterhouse of the USS Joshua Norton, a Clandestine Operations sim.

Come chat with us on Discord! discord.gg/3bUmudQ
User avatar

Posts: 55



Return to Nova NextGen

Who is online

Users browsing this forum: No registered users and 1 guest

cron