Created
June 27, 2011 20:12
-
-
Save contextfw/1049718 to your computer and use it in GitHub Desktop.
Secure way to recover password
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// NOTE. This example is extremely simplified and shows only the idea. | |
public interface AuthService { | |
boolean login(String username, String password); | |
/** | |
* 1. Generates random key | |
* 2. Sends key to given email if it was registered | |
* 3. Returns the generated key | |
*/ | |
String sendPasswordRequest(String email); | |
String findUsernameByEmail(String email); | |
void savePassword(String username, String newPassword); | |
} | |
public class Authenticator extends Component { | |
AuthService authService; | |
String email = null; | |
String securityKey = null; | |
@Attribute | |
String username; = null; | |
/** | |
* Remoted means that method is callable from web client. | |
*/ | |
@Remoted | |
public void login(String username, String password) { | |
if (authService.login(username, password)) { | |
// Do something here. Probably reload page | |
} else { | |
// Show an error message | |
} | |
} | |
@Remoted | |
public void requestPasswordChange(String email) { | |
this.email = email; | |
this.securityKey = authService.sendPasswordRequest(email); | |
// Inform the user that request has been sent to given email | |
// and should be checked. | |
} | |
/** | |
* This is called when user has copied the key from email and is entered to | |
* proper input field. | |
*/ | |
@Remoted | |
public void recoverPassword(String securityKey) { | |
if (this.email != null && this.securityKey.equals(securityKey)) { | |
this.username = authService.findUsernameByEmail(this.email); | |
// Show the username to user | |
} else { | |
// Show an error | |
} | |
} | |
@Remoted | |
public void changePassword(String newPassword) { | |
if(this.username != null) { | |
authService.savePassword(this.username, newPassword); | |
// Show confirmation of succesfull password change | |
} else { | |
// Show error message stating that recovery process has | |
// not yet been finished. | |
// Also, if this happens there is high chance that the request | |
// is forged and should probably be logged. | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment