12 posts • Page 1 of 1
Any chance something could be added to the new version to do this?
- Nova NextGen doesn't use a "homegrown" password reset system (like Nova 2). Instead we use Laravel's system, so we don't have a lot of control over changing things related to password resets.
- With Laravel's system, when a password reset is initiated, a token is assigned (in a separate database table) that expires 60 minutes later. You run into a situation where, unless everyone is at their computer, the tokens could expire before someone does anything with it.
- There are safeguards in the Laravel system in the event a password reset is initiated by someone other than the user. If you get an email with a reset link and it wasn't you who initiated it, simply logging in with your existing password kills the reset request and removes the token.
- When you log in to Nova NextGen, it always remembers you for next time, so depending on server setup, it would be weeks before someone is prompted to log back in. That means you're talking about clearing the sessions table plus clearing the remember token in every user record which would actually automatically log everyone out, including the person initiating the system wide reset. The catch there is that by doing that, it might actually not complete the reset process.
- What if someone is working on a story entry and you initiate the reset? Boom, work lost.
- Say that 10 of your 12 users have reset their passwords, by initiating a system-wide reset like that, you'd be forcing everyone to update their password again
- What about inactive users? If someone comes back, they've still got their old password hashed in the database, but you don't want to be sending inactive users emails because they're, well, inactive.
Currently I'm doing a bunch of clean up work on NextGen before I dive into the user system, so I'll keep thinking about it.
I may just have to hope that people who are playing Starfleet Intelligence Officers understand why password best practices are what they are, and respect my request for a password reset. I do appreciate you thinking about if there might be a way to do it though.
Edit to add: To address your comment about 'what if 10 of 12 users have reset their password', in a best case scenario, I would also be able to see when the last time the password was changed was, and elect to opt out people who've made the change since whatever cut off I'm looking for (i.e. when the certificate was installed, and the .htaccess file was put into place that forced https only connections). I also recognize this is even more work than just triggering a forced reset for everyone, so it's probably a pie in the sky dream.
My guess is that the only way to really accomplish this with any control is to not make it a blanket reset, but to offer a button to certain admins on a user's account page to force the reset. It's not terribly efficient (for a variety of reasons), but it would basically allow you to target individuals to reset their passwords.
Not to mention, attempting to write any code, even fluffy weight stuff like html and css, is just a blast on a keyboard with two keys not working consistently (i and q). If it weren't for spell check built into nearly everything these days, my communications would be nearly undecipherable.
To be honest, this feature sounds like it'll be more of a pain than it's worth. I keep my users permissions pretty locked down (seen too many rage quits in my years of simming, I assume all players are capable of a blow out), so it's usually only the admin/gm accounts that can do any real damage. If I have admins/gms who won't do a password reset when I ask them to, they probably should be finding hosting elsewhere anyways.
- Code: Select all
Now, when you install Nova NextGen, you'll be shown an option during email config to use logging for emails which will put the email into the log files. That way you don't need to worry about having a proper email system set up while you're playing around with NexGen.
While that trick to not need an email system is cool, I want to specifically test the email config. I created a nova specific account on my hosting for the smtp, and want to iron all the bugs out with that too. Dreamhost has been having some issues wth email lately anyways, so it certainly doesn't hurt to make sure their system will work with what Nova needs.
And a testament to how scattered I am right now? I had saved the password for my preview install in a text file on my external hard drive and forgot until I decided to check before messing around with wiping and reinstalling. >.< And I've been meaning to jump on your IRC channel, but my friend who runs the bouncer I use for IRC hasn't authorized me for a second network last I looked. I need to see if she's done that yet.
I'm in the channel most evening, so just buzz me if you're around!
I hate using free third party services because when they go down, I have no recourse. I'm paying for my Dreamhost plan, which means I have recourse if it goes down.
- Some hosts have their servers configured to lock down some of the email stuff just to get ahead of potential spam.
- Some email providers blacklist hosts or servers if they're getting a lot of spam from that server/host. Some even block all hosts until you go through a form to allow email from that server/host (though not any of the big email providers as far as I know).
- Some email providers look at both the FROM and REPLY-TO headers. Even if your FROM header is right, a REPLY-TO header that's not from the same email address or from an email address on the server could end up getting it marked as spam
I use Mailgun for all of Anodyne's stuff and have yet to see a problem or the service to go down. With these "free" services, there's always a paid option, so even if you're using the free side of it, there are still lots of people paying for it. It's not like it's a 100% free operation. It's certainly worth checking them out during NextGen testing because they do afford a lot more features than just sending email including open rates, click tracking, and deliverability stats.
I am very glad you are exploring options to resolve the issue for people who either don't have access to send through their hosting, or are having issues with email providers marking them as spam, but right now my options aren't broke, so I'm happy to keep it all in house.
12 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 2 guests