Data

Tools

Indexes

Applications

Experiments

Packages

An open API service providing package, version and dependency metadata of many open source software ecosystems and registries.

Top 3.5% on proxy.golang.org
Top 3.4% dependent packages on proxy.golang.org
Top 1.5% dependent repos on proxy.golang.org
Top 5.4% forks on proxy.golang.org
Top 2.1% docker downloads on proxy.golang.org

proxy.golang.org : github.com/dchest/passwordreset

Package passwordreset implements creation and verification of secure tokens useful for implementation of "reset forgotten password" feature in web applications. This package generates and verifies signed one-time tokens that can be embedded in a link sent to users when they initiate the password reset procedure. When a user changes their password, or when the expiry time passes, the token becomes invalid. Secure token format: where expiration time is the number of seconds since Unix epoch UTC indicating when this token must expire (4 bytes, big-endian, uint32), login is a byte string of arbitrary length (at least 1 byte, not null-terminated), and signature is 32 bytes of HMAC-SHA256(expiration_time || login, k), where k = HMAC-SHA256(expiration_time || login, userkey), where userkey = HMAC-SHA256(password value, secret key), where password value is any piece of information derived from user's password, which will change once the user changes their password (for example, a hash of the password), and secret key is an application-specific secret key. Password value is used to make tokens one-time, that is, once a user changes their password, the token which they used to do a reset, becomes invalid. Usage example: Your application must have a strong secret key for password reset purposes. This key will be used to generate and verify password reset tokens. (If you already have a secret key, for example, for authcookie package, it's better not to reuse it, just use a different one.) Create a function that will query your users database and return some password-related value for the given login. A password-related value means some value that will change once a user changes their password, for example: a password hash, a random salt used to generate it, or time of password creation. This value, mixed with app-specific secret key, will be used as a key for password reset token, thus it will be kept secret. When a user initiates password reset (by entering their login, and maybe answering a secret question), generate a reset token: Send a link with this token to the user by email, for example: https://www.example.com/reset?token=Talo3mRjaGVzdITUAGOXYZwCMq7EtHfYH4ILcBgKaoWXDHTJOIlBUfcr Once a user clicks this link, read a token from it, then verify this token by passing it to VerifyToken function along with the getPasswordHash function, and an app-specific secret key: If verification succeeded, allow to change password for the returned login.

Registry - Source - Documentation - JSON
purl: pkg:golang/github.com/dchest/passwordreset
License: MIT
Latest release: almost 6 years ago
First release: almost 6 years ago
Namespace: github.com/dchest
Dependent packages: 3
Dependent repositories: 12
Stars: 78 on GitHub
Forks: 16 on GitHub
Docker dependents: 2
Docker downloads: 230
See more repository details: repos.ecosyste.ms
Last synced: 3 months ago

    Loading...
    Readme
    Loading...