Hello,
I wanted to ask if somebody has any suggestions or preferably, links, to examples of implementation of the reset password for a user. I am having a hard time implementing what the Change password documentation says, without explicit/specific examples.
Hello, Thanks for the reply.
Yes, I already read that document and I see some code there for the backend and already try it without much luck.
I am using react and node js for my app. I have a button in my admin dashboard for every user already registered on my site/DB.
When I click that button, I want to force the user to change the password by sending an email notification.
But like I said I already tried the code on the page that you mentioned, I wanted to know if there are more explicit, step-by-step examples somewhere that might help a bit more…
If you login to your auth0 account and visit this page it will populate CLIENT_ID and DOMAIN values from your account automatically.
You need an api that can make a http call like the one above to Auth0 Authentication API
You also need to pass the email address of the user you want to reset the password for from your UI to your NodeJS api.
Then you can use this email when you send the reset password request to Auth0 Authentication api.
Calling this api will send the user a reset password email and they can follow instructions on how to reset their password.
Also note this flow is not for social logins like Google, Facebook since the passwords are not kept with Auth0 and needs to be reset with provider.
Thanks again, but like I said I’m struggling to understand how to implement that code. I wanted to know if you know any good examples step by step (maybe videos from somebody else?).
Regards.
This code uses rules, which are now deprecated. We only want to enforce a password reset on a subset of the users, which means that the community-provided password reset logic doesn’t work for us. How do we go about implementing something similar in an action? Setting the user’s password to the empty string by using the management.users.update() function doesn’t work.
That doesn’t work for our case because the password expiration needs to be conditionally applied. We have different subsets of users with different requirements.
It’d be great if y’all could open-source that action so that people could read and adapt it to their use case.
If you require the password expiration to be applied conditionally, you might need to write a custom post-login action script to handle this scenario.
Here’s a sample code you can use to adapt to your use case:
exports.onExecutePostLogin = async (event, api) => {
// Get the user's last password reset timestamp
const lastPasswordReset = event.user.last_password_reset;
// Check if the last password reset timestamp exists
if (lastPasswordReset) {
// Convert lastPasswordReset to a Date object
const lastResetDate = new Date(lastPasswordReset);
// Get the current date
const currentDate = new Date();
// Calculate the difference in days between the current date and the last password reset
const daysSinceReset = Math.floor((currentDate - lastResetDate) / (1000 * 60 * 60 * 24));
// Check if it has been more than 30 days since the last password reset
if (daysSinceReset > 30) {
try {
// Force Password Reset
await requestPasswordChange(event.user.email, event.connection, event.client.client_id);
} catch (error) {
console.error('Failed to send password reset email:', error);
}
api.access.deny("Please reset your password to continue to the application.");
}
}
};
const axios = require('axios');
async function requestPasswordChange(email, connection, clientId) {
const url = 'https://{yourDomain}/dbconnections/change_password'; // Replace {yourDomain} with your actual domain
const payload = {
email: email,
connection: connection,
client_id: clientId
};
try {
const response = await axios.post(url, payload, {
headers: {
'Content-Type': 'application/json'
}
});
console.log('Password change request sent');
} catch (error) {
console.error(error);
}
}
Please note that this piece of code is not 100% ready for production and you must test the code to ensure its functionality meets your requirements.
We’ve already implemented something equivalent using the node-auth0 lib. The piece I was missing is that I needed to use the auth0.database.changePassword function, not auth0.user.update. My current issue is that the documentation didn’t really help me get there, and even the snippet you shared doesn’t seem to include authentication credentials - I don’t see the authorization header that would allow a call to Auth0 to succeed. That part isn’t trivial.
In the code snippet I shared, you do not need any authorization headers for using the Authentication API’s Change password endpoint. See this reference.
I have tested it on my end and can confirm that it works. The script will force users to reset their passwords if they have not changed them for more than 30 days.
Does that mean the endpoint is unauthenticated, or does that mean that the version of Axios provided by the environment is doing some hidden interceptor patching to provide authentication credentials to the request to the management API?
The former would be concerning from a security perspective. I haven’t seen the latter documented anywhere - is there documentation of that?