Comments on: Tutorial: Reset passwords with Authlogic the RESTful way http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/ Ben Johnson's thoughts and programming techniques Tue, 26 Jan 2010 22:32:54 +0000 http://wordpress.org/?v=2.8 hourly 1 By: poleardillils http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-236 poleardillils Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-236 nice information.. good to read.. Good Luck. nice information.. good to read..
Good Luck.

]]> By: Lakshan http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-270 Lakshan Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-270 Nice tutorial Ben! Currently I'm converting my existing restful-authentication based apps to Authlogic. In this process, I was able to use forgot_password (git://github.com/greenisus/forgot_password) plugin with Authlogic without any issues. This plugin also approaches the problem in a similar fashion you have done and it's too flexible enough to customize. Nice tutorial Ben!

Currently I’m converting my existing restful-authentication based apps to Authlogic. In this process, I was able to use forgot_password (git://github.com/greenisus/forgot_password) plugin with Authlogic without any issues. This plugin also approaches the problem in a similar fashion you have done and it’s too flexible enough to customize.

]]> By: Karl http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-271 Karl Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-271 Ben, Authlogic is improving so nicely. Just let me iterate my appreciation for your work. Feature Request: now that you have added the password_reset_token, I was thinking how the same facility would work well for verification of new accounts. Of course, Authlogic doesn't need to facilitate all the account status changing, but the same password_reset_token could easily be used for validation as well. The only thing I see that would be required is to change the default expiry time from 10.minutes to something optionable. Just add the option of specifying the expiry time to find_using_password_reset_token(:expires_in => 20.minutes). 10 minutes is probably OK, but I like to leave users just a little more time. Thoughts? Ben,
Authlogic is improving so nicely. Just let me iterate my appreciation for your work.

Feature Request: now that you have added the password_reset_token, I was thinking how the same facility would work well for verification of new accounts. Of course, Authlogic doesn’t need to facilitate all the account status changing, but the same password_reset_token could easily be used for validation as well. The only thing I see that would be required is to change the default expiry time from 10.minutes to something optionable. Just add the option of specifying the expiry time to find_using_password_reset_token(:expires_in => 20.minutes). 10 minutes is probably OK, but I like to leave users just a little more time.

Thoughts?

]]> By: Ben Johnson http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-272 Ben Johnson Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-272 Hey Karl, I think thats a good idea. To be honest, you could use the password_reset_token for activation as well. Both tokens really are the same thing, so maybe they should share the same field? I'm thinking about renaming this to something a little more generic like "perishable_table"? I'm not sure yet, but I'll give it some more thought. Also, the expiration time is configurable. I provided this option for acts_as_authentic: * <tt>password_reset_token_valid_for</tt> - default: 10.minutes, Authlogic gives you a sepcial method for finding records by the password reset token (see Authlogic::ORMAdapters::ActiveRecordAdapter::ActcsAsAuthentic::PasswordReset). In this method it checks for the age of the token. If the token is old than whatever you specify here, a user will NOT be returned. This way the tokens are perishable, thus making this system much more secure. Hey Karl, I think thats a good idea. To be honest, you could use the password_reset_token for activation as well. Both tokens really are the same thing, so maybe they should share the same field? I’m thinking about renaming this to something a little more generic like "perishable_table"? I’m not sure yet, but I’ll give it some more thought.

Also, the expiration time is configurable. I provided this option for acts_as_authentic:

* <tt>password_reset_token_valid_for</tt> – default: 10.minutes,
Authlogic gives you a sepcial method for finding records by the password reset token (see Authlogic::ORMAdapters::ActiveRecordAdapter::ActcsAsAuthentic::PasswordReset). In this method
it checks for the age of the token. If the token is old than whatever you specify here, a user will NOT be returned. This way the tokens are perishable, thus making this system much
more secure.

]]> By: Henrik N http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-273 Henrik N Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-273 Instead of "# You do not need to add this method, I put it here so you know there is a view for this." I would recommend "render". Short, sweet and explicit. Also, it strikes me as a little weird that the Authlogic login is nice and RESTful, where this flow is not. How about a PasswordResetsController where new/create is for requesting the reset and edit/update is for actually resetting? Just how well this maps to REST can be discussed, but either way I think keeping it in its own controller makes things easier. Instead of "# You do not need to add this method, I put it here so you know there is a view for this." I would recommend "render". Short, sweet and explicit.

Also, it strikes me as a little weird that the Authlogic login is nice and RESTful, where this flow is not. How about a PasswordResetsController where new/create is for requesting the reset and edit/update is for actually resetting? Just how well this maps to REST can be discussed, but either way I think keeping it in its own controller makes things easier.

]]> By: Ben Johnson http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-274 Ben Johnson Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-274 Hi Henrik, you make some good points. I actually started off the tutorial with a separate passwords controller. I'm gonna play around with that again and see if it makes the most sense. I just released a new version of Authlogic, so I was going to update this tutorial anyways. Maybe I'll modify it to do that. Hi Henrik, you make some good points. I actually started off the tutorial with a separate passwords controller. I’m gonna play around with that again and see if it makes the most sense. I just released a new version of Authlogic, so I was going to update this tutorial anyways. Maybe I’ll modify it to do that.

]]> By: Karl http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-275 Karl Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-275 @Henrik: re:"How about a PasswordResetsController" I was thinking the exact same thing. Very RESTful, sir. Maybe it should be a nested resource under Account/User? But this really has nothing to do with Authlogic itself. @Henrik:
re:"How about a PasswordResetsController"

I was thinking the exact same thing. Very RESTful, sir. Maybe it should be a nested resource under Account/User?

But this really has nothing to do with Authlogic itself.

]]> By: Ben Johnson http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-276 Ben Johnson Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-276 Alright, I updated the tutorial, both of you are right, this is a much cleaner approach. Alright, I updated the tutorial, both of you are right, this is a much cleaner approach.

]]> By: Charlie http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-277 Charlie Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-277 Karl, that's exactly what I'm thinking. Probably a singular (rather than plural) resource directly below each user. Then requesting a password reset is basically sending an empty POST request to /users/karl/password_reset - as you said, it's independent of Authlogic (one reason why I'm loving Authlogic already!) but I think that's how I'll want to implement it. Karl, that’s exactly what I’m thinking. Probably a singular (rather than plural) resource directly below each user. Then requesting a password reset is basically sending an empty POST request to /users/karl/password_reset – as you said, it’s independent of Authlogic (one reason why I’m loving Authlogic already!) but I think that’s how I’ll want to implement it.

]]> By: Ben Johnson http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic/comment-page-1/#comment-278 Ben Johnson Sun, 16 Nov 2008 15:19:00 +0000 0/2009/03/23/tutorial-reset-passwords-with-authlogic#comment-278 Hey Charlie, That should be a very easy change. It's really up to you, go for it if you like that method better. Either way is fine. Hey Charlie,

That should be a very easy change. It’s really up to you, go for it if you like that method better. Either way is fine.

]]>