My Account - Forgot Password #2619
Conversation
Co-authored-by: Stephen <[email protected]>
|
|
Performance Test Results The following fails have been reported by WebpageTest. These numbers indicates a possible performance issue with the PR which requires further manual testing to validate. https://pr-2619.pwa-venia.com : LH Performance Expected 0.85 Actual 0.33, LH Accessibility Expected 1 Actual 0.97, LH Best Practices Expected 1 Actual 0.93, WPT Cache Expected 90 Actual 38 |
| }, | ||
| { | ||
| name: 'Reset Password', | ||
| pattern: '/customer/account/createPassword', |
There was a problem hiding this comment.
The route can change. It is the route configured in the forgot password email template in the admin panel.
I don't think we have a setting for changing it without modifying the email template manually. Should we have this in the app config?
There was a problem hiding this comment.
TBH I'm not sure how much we care about the preconfigured routes. I would also probably use hyphen instead of camelcase ie /customer/account/create-password.
There was a problem hiding this comment.
It is the default route. If we happen to change this and someone forgets to change the template, the whole workflow fails. That is no reason to not change since someone configuring this should know for sure. I prefer your idea as well, hyphen case is correct in this case.
There was a problem hiding this comment.
I believe until such time that there is a M2 module for Magento Core that configures the front-end to be in line with PWA Studio expectations with a click of a button the default route should work.
If there was preference for something else maybe an upward rule could be added to redirect from the default to the PWA Studio expected?
There was a problem hiding this comment.
There was a problem hiding this comment.
@revanth0212 I do believe you might have stumbled on a bigger discussion here...
This link:
https://staging-vdt2zeq-c5v7sxvquxwl4.eu-4.magentosite.cloud/customer/account/createPassword/?email=EMAIL_ID&token=TOKEN
combined with running the upward php connector would result in this
making it an upward response (unless the route gets whitelisted, I am not sure that there is currently an option to whitelist a changeable url).
The other option I consider likely is that the back-end will be configured to send out an email like
https://venia.magento.com/customer/account/createPassword/?email=EMAIL_ID&token=TOKEN
(the base url can be changed for the complete site, whereas the /customer/account/createPassword part is in the individual email template) with a separate back-end url. In this scenario upward-js would handle it.
There was a problem hiding this comment.
I am not sure if the admin panel has an option to store/change the main site URL / public URL for instance https://venia.magento.com/. If so, we can check to use that.
This is how the URL is generated in the email template:
<a href="{{var this.getUrl($store,'customer/account/createPassword/',[_query:[token:$customer.rp_token,email:$customer.email],_nosid:1])}}" target="_blank">{{trans "Set a New Password"}}</a>
Ill have to look into the implementation of the this.getUrl function to know what variables it is considering.
There was a problem hiding this comment.
@revanth0212 it is all configurable under Stores > Configuration > Web.
I guess the point I was trying to make is that upward is part of it one way or the other (upward-php or upward-js).
So if you wanted to have a route my-account/create-password then an upward rule could redirect from customer/account/createPassword/ to my-account/create-password to cover people using the default template.
QAVerification StepsNote: verification steps were performed on #2621 PR deployment.
OtherCannot Reset the Customer's PasswordI entered an email that does not have an account and got the following error:
This seems like a reasonable error message, my only concern is that we may be providing valuable information to a potential attacker. The standard message "If there is an account associated with EMAIL you will receive an email with a link to change your password" covers this error scenario and it might be better to show that message even when we get this error in the I should also note that I am assuming that the reason we got that error was because there was no account associated with that email address. Should probably check with the GraphQL team to make sure. Stay on Reset Password PageAfter resetting my password and signing in via the site header, I was never navigated away from the "Reset Password" page:
I'm not quite sure what I'd want to happen instead, but it was a strange UX, especially after I signed in successfully. cc @schensley |
If I remember correctly, the GQL team is working on updating their mutations to provide more reasonable/understandable error messages. It should be just a matter of time before they come up with a better error message for such use cases. That said, should we wait for them or render our own message? If we do it ourselves, it will be a standard message for any sort of an error from the server. Also, even if we do that, it might still be subject to security because the attacker can simply check the network tab for the error reported from the server. What do you guys think? |
This isn't uncommon for reset pages, at least from my experience. I don't think we can predict where the user would like to be. Maybe they will sign in immediately, but do they intend to go to checkout, perform some Account management, or enable a personalized shopping experience? Arbitrarily navigating them to some page (i.e. Home page) could feel imposing or interpreted as presenting some workflow they think they must complete. Keeping them on a page that displays a Success message allows them to make that decision themselves. |
Good point. I'm good keeping this as-is then, with the hopes that GQL error messages improve. |
|
Are there security concerns with having the customer email and a reset token in the URL? |
It is usual practice to include email and a token in the reset link. We can get away with not having the email in the link by adding another field on the page where the user can enter their email. But, token needs to be present in the link. |
Is the link and params configurable in the back end? What is the default setting? |
Yeah, link and params are configurable. We are using the default link which is |
This is also a technical requirement, the GraphQL mutation requires token, email, and new password. |
Yes, you are right but UX wanted the user to click the link, enter new password and submit. Hence we had to change the email template to include email id as well. |
Are you saying that you customized your back end to include I would be cautious about customizing the default link - it would be preferable to leave it as is so pwa studio just works out of the box. If we absolutely must stick to this UX then can you create a follow up ticket to have @jcalcaben update the "getting started" steps and whatever documentation is necessary? My instinct is to have an email entry field and a new password field and to not customize the link. |
|
Hi @supernova-at, I believe this code was removed accidentally when merging this PR: #2657 Please advise. |
|
HI @abso-bmarquis, Latest PR related to forgot password refactor is #2726. Thanks, |
|
Thanks! |
Description
Implemented forgot password UX and workflow for the new my account feature.
For this PR I had to add a new route
/customer/account/createPasswordwhich provides the UX to reset the user's password.When the user requests a password reset, the backend sends an email with a button to take the user to a new tab. The link that the backend includes in the email, uses the MAGENTO_BACKEND_URL as the domain. Since all the backends don't have the code to handle the new route
/customer/account/createPassword, @dpatil-magento helped me deploy the new code on this server: https://staging-vdt2zeq-c5v7sxvquxwl4.eu-4.magentosite.cloud/. If someone wants to test this PR locally, please use the above backend URL instead.Also if you wanna test this PR on a deployed instance please use #2621. @dpatil-magento made sure the backend for that PR is set to https://staging-vdt2zeq-c5v7sxvquxwl4.eu-4.magentosite.cloud/ which has the code to handle the new route.
Another way to test this is to paste the query string part from the email link next to the deployed app URL, for instance:
https://pr-2619.pwa-venia.com/customer/account/createPassword/+?email=gooseton%40gmail.com&token=*******.Sorry if this is confusing.
Note: To be merged only after #2590
Related Issue
Closes PWA-77
Acceptance
Users should be able to reset their password.
Verification Stakeholders
@soumya-ashok
@schensley
@jimbo
Specification
This PR adds a new route
customer/account/createPasswordwhich takes 2 query params?email=EMAIL_ID&token=RESET_TOKEN.Verification Steps
Screenshots / Screen Captures (if appropriate)
Demo link: https://jira.corp.magento.com/secure/attachment/367170/Forgot%20password%20demo.mp4
Checklist