How to force a user to reset password

Hello,
I wanted to ask if somebody has any suggestions or preferably, links, to examples of implementation of the reset password for a user. I am having a hard time implementing what the Change password documentation says, without explicit/specific examples.

Any help would be greatly appreciated.

Regards.

Welcome to Auth0 community,

I am guessing you have already looked at this document. There are multiple ways to reset a user’s password.

Please describe your use case a bit more so I can understand which solution best matches your need.

Hello, Thanks for the reply.
Yes, I already read that document and I see some code there for the backend and already try it without much luck.
I am using react and node js for my app. I have a button in my admin dashboard for every user already registered on my site/DB.
When I click that button, I want to force the user to change the password by sending an email notification.
But like I said I already tried the code on the page that you mentioned, I wanted to know if there are more explicit, step-by-step examples somewhere that might help a bit more…

Regards.

Thanks, I understand the use case better now.
So you want to trigger an interactive password reset flow using your NodeJS api.

I think using the Authentication API might be the easiest in this case.

There is already a code snippet provided on the page.

var axios = require("axios").default;

var options = {
  method: 'POST',
  url: 'https://YOUR_DOMAIN/dbconnections/change_password',
  headers: {'content-type': 'application/json'},
  data: {
    client_id: 'YOUR_CLIENT_ID',
    email: '',
    connection: 'Username-Password-Authentication'
  }
};

axios.request(options).then(function (response) {
  console.log(response.data);
}).catch(function (error) {
  console.error(error);
});

If you login to your auth0 account and visit this page it will populate CLIENT_ID and DOMAIN values from your account automatically.

You need an api that can make a http call like the one above to Auth0 Authentication API

You also need to pass the email address of the user you want to reset the password for from your UI to your NodeJS api.
Then you can use this email when you send the reset password request to Auth0 Authentication api.

Calling this api will send the user a reset password email and they can follow instructions on how to reset their password.

Also note this flow is not for social logins like Google, Facebook since the passwords are not kept with Auth0 and needs to be reset with provider.

1 Like

Thanks again, but like I said I’m struggling to understand how to implement that code. I wanted to know if you know any good examples step by step (maybe videos from somebody else?).
Regards.

Hi, I was trying to run the snippet on the page, with the curl command I got

We’ve just sent you an email to reset your password.’

But I have not received the reset email despite me trying multiple times. In the doc there is this line that confuses me

Go to Auth0 Dashboard > Applications > Applications, and add the URL to the Allowed Origins (CORS) list.

what is the URL in this case? Can you add a screenshot of where exactly to paste this URL?
Thanks

This code uses rules, which are now deprecated. We only want to enforce a password reset on a subset of the users, which means that the community-provided password reset logic doesn’t work for us. How do we go about implementing something similar in an action? Setting the user’s password to the empty string by using the management.users.update() function doesn’t work.

Hi @xbox.user29, @pazel, @kle, @tanner.stirrat,

You could consider using the built-in Password Rotation Action to force your users to set a new password after a certain number of days.

In the action integration, you will be able to set the Password Expiry in Days and Error Message.

Let me know if you have any questions.

Thanks,
Rueben

Ruben:

That doesn’t work for our case because the password expiration needs to be conditionally applied. We have different subsets of users with different requirements.

It’d be great if y’all could open-source that action so that people could read and adapt it to their use case.

Hi @tanner.stirrat,

Thanks for the update.

If you require the password expiration to be applied conditionally, you might need to write a custom post-login action script to handle this scenario.

Here’s a sample code you can use to adapt to your use case:

exports.onExecutePostLogin = async (event, api) => {
  // Get the user's last password reset timestamp
 const lastPasswordReset = event.user.last_password_reset;

  // Check if the last password reset timestamp exists
  if (lastPasswordReset) {
    // Convert lastPasswordReset to a Date object
    const lastResetDate = new Date(lastPasswordReset);

    // Get the current date
    const currentDate = new Date();

    // Calculate the difference in days between the current date and the last password reset
    const daysSinceReset = Math.floor((currentDate - lastResetDate) / (1000 * 60 * 60 * 24));

    // Check if it has been more than 30 days since the last password reset
    if (daysSinceReset > 30) {
      try {
        // Force Password Reset
        await requestPasswordChange(event.user.email, event.connection, event.client.client_id);
      } catch (error) {
        console.error('Failed to send password reset email:', error);
      }
      api.access.deny("Please reset your password to continue to the application.");
    }
  } 
};

const axios = require('axios');

async function requestPasswordChange(email, connection, clientId) {
  const url = 'https://{yourDomain}/dbconnections/change_password'; // Replace {yourDomain} with your actual domain
  const payload = {
    email: email,
    connection: connection,
    client_id: clientId
  };

  try {
    const response = await axios.post(url, payload, {
      headers: {
        'Content-Type': 'application/json'
      }
    });
    console.log('Password change request sent');
  } catch (error) {
    console.error(error);
  }
}

Please note that this piece of code is not 100% ready for production and you must test the code to ensure its functionality meets your requirements.

Thanks,
Rueben

Rueben:

We’ve already implemented something equivalent using the node-auth0 lib. The piece I was missing is that I needed to use the auth0.database.changePassword function, not auth0.user.update. My current issue is that the documentation didn’t really help me get there, and even the snippet you shared doesn’t seem to include authentication credentials - I don’t see the authorization header that would allow a call to Auth0 to succeed. That part isn’t trivial.

Hi @tanner.stirrat,

In the code snippet I shared, you do not need any authorization headers for using the Authentication API’s Change password endpoint. See this reference.

Have you had the chance to test the code in a Post-Login Action?

I have tested it on my end and can confirm that it works. The script will force users to reset their passwords if they have not changed them for more than 30 days.

Thanks,
Rueben

Does that mean the endpoint is unauthenticated, or does that mean that the version of Axios provided by the environment is doing some hidden interceptor patching to provide authentication credentials to the request to the management API?

The former would be concerning from a security perspective. I haven’t seen the latter documented anywhere - is there documentation of that?

100% agree that it would be super helpful if Password Rotation integration could be added to the existing open-source Auth0 Market Place repo

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.