Giriş
Akış şöyle
1. Users enter email in the UI
2. Creating password reset token and storing it in DB
3. Sending token to the user and verifying it when used
1. Users enter email in the UI
Açıklaması şöyle
2. Store the Token in the DatabaseThis is how users will begin the process of updating their password. There's usually a simple form available that lets them enter the email address associated with their account.When they submit the email address, this will trigger the back-end to check if that email exists in the database. Even if the email doesn't exist, we'll show a message that says the email has been sent successfully. That way we don't give attackers any indication that they should try a different email address.If the email does exist in the database, then we create a new password reset token, store its hashed version in the database, and generate a password reset link that's sent to the user's email address.
Açıklaması şöyle
Veri tabanı tablosu şöyledirAfter the token has been created, it's hashed using SHA256 and stored in the database along with the user’s ID and it's assigned an expiration time. That way the token is only valid for a set amount of time, blocking attacks that could happen if the token never expired.
CREATE TABLE password_reset_tokens (user_id VARCHAR(36) NOT NULL,token VARCHAR(128) NOT NULL UNIQUE,token_expiry BIGINT UNSIGNED NOT NULL,PRIMARY KEY (user_id, token),);
Açıklaması şöyle
Kullanıcıya e-posta ile gönderilen link şöyleIf you notice, we allow multiple tokens to be stored per user. This is necessary since we only store the hashed version of the tokens in the DB. This means that if a user requests multiple tokens at the same time, we cannot send them the same previously generated token (which is not yet redeemed) since it’s stored in hashed form.In the end, we want to generate a password reset link which points to a link on your website that displays the “enter new password” form and also contains the token.
https://example.com/reset-password?token=<Token here>
3. Sending token to the user and verifying it when used
Burada token ve yeni şifre birlikte gönderiliyor.
1. Önce token var mı kontrolü
2. Token bayat mı kontrolü
3. Token silinir
4. Yeni şifre kaydedilir
Hiç yorum yok:
Yorum Gönder