libscie/researchequals-api
1
0
Fork 0
Code Issues 18 Pull requests Projects Releases Packages Activity

fix(auth): send password reset email when user has empty password #16

New issue
Closed
opened 2025-07-23 13:15:57 +00:00 by chartgerink · 1 comment
chartgerink commented 2025-07-23 13:15:57 +00:00
Owner
Copy link

We are introducing OpenID Connect integration soon in the back-end. When someone creates their account using OIDC, it leads to no password being added to the database. This needs to be handled – currently it is an empty string (non-null).

Making passwords optional in the Users table will allow us to keep that value null. If someone with a null password tries to login with a regular email+password combination, a reset password link is emailed to them. This also preempts any migration scenarios where accounts are migrated, but the password needs to be set up again.

Steps to implement for OIDC:

  1. Create the migration to make password_hash nullable
  2. Update the User model
  3. Update the login handler to send password reset emails for null passwords
  4. Fix the relevant OIDC handlers
We are introducing OpenID Connect integration soon in the back-end. When someone creates their account using OIDC, it leads to no password being added to the database. This needs to be handled – currently it is an empty string (non-null). Making passwords optional in the Users table will allow us to keep that value null. If someone with a null password tries to login with a regular email+password combination, a reset password link is emailed to them. This also preempts any migration scenarios where accounts are migrated, but the password needs to be set up again. Steps to implement for OIDC: 1. ~~Create the migration to make password_hash nullable~~ 2. ~~Update the User model~~ 3. Update the login handler to send password reset emails for null passwords 4. ~~Fix the relevant OIDC handlers~~
chartgerink commented 2025-08-11 09:02:34 +00:00
Author
Owner
Copy link
  1. Empty password after account is created using OIDC, leads to invalid credentials for any password (including empty)
  2. Upon making password_hash nullable, the login times out for an empty password
  3. There is also a cascade of changes in the User model required upon making the password_hash nullable, which make the code less strongly typed.
  4. This leads me to think that it may be better to upgrade the logic in the login when the password is empty.
  5. Setting a password for an OIDC account is a valid action - similar to migrated accounts, that would not have a password upon migration. This would mean we can keep the password_hash UNnullable, and ensure that if someone logs in and has an empty password, gets an email with a token to set the password.
  6. This could be defaulted to only happen if there are no OIDC links present

This means steps (1) and (2) and (4) are irrelevant. The focus is to send a specific password reset email for those who are trying to log in with an empty password, and do not have OIDC links.

1. Empty password after account is created using OIDC, leads to invalid credentials for any password (including empty) 2. Upon making password_hash nullable, the login times out for an empty password 3. There is also a cascade of changes in the User model required upon making the `password_hash` nullable, which make the code less strongly typed. 4. This leads me to think that it may be better to upgrade the logic in the login when the password is empty. 5. Setting a password for an OIDC account is a valid action - similar to migrated accounts, that would not have a password upon migration. This would mean we can keep the `password_hash` UNnullable, and ensure that if someone logs in and has an empty password, gets an email with a token to set the password. 6. This could be defaulted to only happen if there are no OIDC links present This means steps (1) and (2) and (4) are irrelevant. The focus is to send a specific password reset email for those who are trying to log in with an empty password, and do not have OIDC links.
chartgerink changed title from fix(auth): make password optional for OIDC first accounts to fix(auth): send password reset email when user has empty password 2025-08-11 09:03:05 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
bug

Something is not working

  
critical

issues that are blocking other work, high importance + urgent

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
future

Not on the docket right now. Keeping the issue for future work.

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
critical
duplicate
enhancement
future
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: libscie/researchequals-api#16
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?