Your Recruiter Password Reset SECURED
After creating the Forgot Password flow yesterday I immediately began thinking about how to hack it and steal someone’s info. Today, I secured it!
ACCESS DENIED
I added an additional database to store password recovery requests. Each request now has a 10 minute lifespan before the database deletes the entry eliminating the possibility of someone getting a hold of a user’s id and changing their password anytime they want. There are additional checks in the api to compare the creation and expiration dates and delete entries on error and success.
This still doesn’t feel fool-proof, I think I should create a random url next for the password reset flow.
Ok, so instead of using the user’s id we’re now using the request id! Much more difficult to get a hold of and no user information is provided at any point!
Yeah, that feels much better.
Questions, comments, concerns?
Email me or leave a comment below!