Password reset by user itself

[Janusz]

Hi,
Currently if user forget the password then he/she is sending an email to administrator with request to reset it - and of course such process works fine.

However I am just wondering if such process could be automated in following way for example:
1. On login page there is a button "Password reset" so the user can enter his e-mail or login
2. After nuBuilder is sending link to the given e-mail box with a link allowing password reset.
3. After receiving an email user can click on the link and he/she can enter new password - or just random password will be sent back to the same e-mail

For the moment it looks to me quite complicated to implement in nuBuilder - because some actions has to be done without login into nuBuilder.
But maybe some PHP script can be used to process such request acessing directly MariaDB, or ....?
Do you have some experience with such case - or some other suggestions how to handle password change by user itself in the secure way?

[kev1n]

Hi Janusz,

I've done this before, using this information:

General information:
https://www.meziantou.net/how-to-implem ... cation.htm

Script (easy)
https://thisinterestsme.com/php-reset-password-form/

Script (more complex)
https://jasawebsite.ooo/membuat-form-re ... nakan-php/

Let me know if you need any further help with the scripts.

The other possibility would be to create a special access level and a nuBuilder form to reset a password.

[Janusz]

Thanks a lot Kev1n for this info.
I will try during next days to implement something based probably on the first script.
So if some problems will come I will post to get some help.

[kev1n]

If you go for the first script, here are some hints.

Basically, the password reset works like that:

The user clicks on a ‘Forgot Password?’ link that you put on the login page and is prompted to enter his/her email address.
If the email address has been confirmed (check if it exists in the db), then an email is sent with a unique link for them to click on.
Then, the user is prompted to enter a new password.

In the forgot.php file, you can include nuconfig.php to retrieve the db settings:

Code: Select all

include("../resetpw/nuconfig.php");

//Connect to MySQL database using PDO.
$pdo = new PDO("mysql:host=$nuConfigDBHost;dbname=$nuConfigDBName", $nuConfigDBUser, $nuConfigDBPassword);

Then modify the sql like that:

Code: Select all

$sql = "SELECT zzzzsys_user_id as id, sus_email FROM zzzzsys_user WHERE sus_email = :email";

The insert sql is going to look like this:

Code: Select all

$insertSql = "INSERT INTO password_reset_request
              (user_id, email, date_requested, token)
              VALUES
              (:user_id, :user_email, :date_requested, :token)";
			  
//Prepare our INSERT SQL statement.
$statement = $pdo->prepare($insertSql);
 
//Execute the statement and insert the data.
$statement->execute(array(
    "user_id" => $userId,
    "user_email" => $userEmail,	
    "date_requested" => date("Y-m-d H:i:s"),
    "token" => $token
));

In reset.php:

Code: Select all

include("../resetpw/nuconfig.php");

session_start();

//Connect to MySQL database using PDO.
$pdo = new PDO("mysql:host=$nuConfigDBHost;dbname=$nuConfigDBName", $nuConfigDBUser, $nuConfigDBPassword);

and then later, to update the password:

Code: Select all

    $sql = "update zzzzsys_user set sus_login_password='" . md5($password) . "' where zzzzsys_user_id = '" . $userId . "'";		
 

I hope that helps a little while implementing the script.

[Janusz]

Hi Kev1n,
Thanks for the code and started some implementation
so in the ./nucommon.js I added following code to have a button and a box to enter the password - but I am missing some knowledge how link it later / make interface with the forgot.php code.
Can you please give some advice how to progress?

Code: Select all

<tr>
<td style='text-align:center' colspan='2'>
<input id='psw_reset' type='button' class='nuButton'  style='margin:15px 0px 0px 200px;width:90px;height:20px;' onclick='prompt("Please enter your e-mail", "")' value='PSW reset'/>
</td>
</tr>

[kev1n]

I would add a link below the login in button by modifiying nuconfig.php that takes you to a separate page forgot.php:

(remove the /* and */ around $nuWelcomeBodyInnerHTML)

Code: Select all

 $nuWelcomeBodyInnerHTML			= " 
	
	
			<div id='outer' style='width:100%'>

				<div id='login' class='nuLogin'>
					<table>
						<tr>
							<td align='center' style='padding:0px 0px 0px 33px; text-align:center;'>
							<img src='graphics/logo.png'><br><br>
							</td>
						</tr>
						<tr>
							<td><div style='width:90px'>Username</div><input class='nuLoginInput' id='nuusername'/><br><br></td>
						</tr>
						<tr>
							<td><div style='width:90px'>Password</div><input class='nuLoginInput' id='nupassword' type='password'  onkeypress='nuSubmit(event)'/><br></td>
						</tr>
						<tr>
							<td style='text-align:center' colspan='2'><br><br>
								<input id='submit' type='button' class='nuButton' onclick='nuLoginRequest()' value='Log in '/>
							</td>
						</tr>
						
						<tr>
						<td style='text-align:right' colspan='2'>
						<a target='_blank' href=\"libs/password-recovery\forgot_password.php" style=\"color: #667;\">Forgot Password?</a>
						</td>
						</tr>

					</table>
				</div>
				
			</div>
				

login.PNG

";

[Janusz]

Thank's for the code. The first php script is working and link is generated with data recorded in the password_reset_request table
For the moment during test I fixed the email in the code as $email = ".....@wp.pl";
What would you suggest/how to construct input box inside php code asking to enter the email?

Now I am going to the second script

[kev1n]

What would you suggest/how to construct input box inside php code asking to enter the email?

Where would you like to have that exactly?

[Janusz]

Currently to test I did following:

Code: Select all

//Get the name that is being searched for.
$email = isset($_POST['email']) ? trim($_POST['email']) : '';
$email = "...@wp.pl";

I am a little blind here and do not know in fact how to ask the user for the email in this part of code - in case of JS I would probably put the prompt() in this place.

Regarding the second script it's already changing properly the password for the user with the link generated from the first script but there is some issue with the following part of the code

Code: Select all

//Fetch our result as an associative array.
$requestInfo = $statement->fetch(PDO::FETCH_ASSOC);

it generates empty string what results in not proper message afterwards - however password is properly changed.


>>> correction: so the fetch(PDO::FETCH_ASSOC) is not an issue I made some mistake in the code

[kev1n]

Add a form in the first script with an email field and submit button:

Code: Select all

<?php

//Show a html form with an email address field and a submit button

if (!isset($_POST['email'])) {
    echo '
		<div class="container">
		<link rel="stylesheet" href="style.css" >
		<form method="post" action="forgot.php">
		  Enter Your Email Address:
		  <input type="email" name="email" size="35" />
		  <div class="send-button">
			 <input type="submit" value="Reset My Password" />
		  </div>
		</form>
		</div>
		';
    exit();
}

include("../resetpw/nuconfig.php");

//Connect to MySQL database using PDO.
$pdo = new PDO("mysql:host=$nuConfigDBHost;dbname=$nuConfigDBName", $nuConfigDBUser, $nuConfigDBPassword);