Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: one time password reset token #1953

Open
qrkourier opened this issue May 3, 2024 · 2 comments
Open

feat: one time password reset token #1953

qrkourier opened this issue May 3, 2024 · 2 comments
Assignees
@tjbck

Comments

@qrkourier
Copy link
Contributor

Is your feature request related to a problem? Please describe.
A forgotten password forces the user to create a new account or the admin to share a new password. There's no way for a user with a forgotten password to have a password unknown to the admin.

Describe the solution you'd like
The user contacts the admin for help. In the admin panel, the admin clicks to obtain a one-time account reset token. The token is provided to the user who uses it to authenticate and is prompted to set a new password.

Describe alternatives you've considered
Send a password reset email upon request to the account address, if it exists. The email contains a one-time password presented as a pastable token and a clickable hyperlink . The OTP is valid for a few minutes. This would work, but most people don't want to set up an SMTP account, and I reckon most open-webui instances do not represent such a large number of users that self-service is truly necessary. Though, this would serve those admins with many users.

Additional context
Account life cycle events present opportunities for external attacks and admin overreach. The privacy-oriented user will appreciate having the option to choose between optimizing for chat preservation or chat privacy. For example, the default option could be to destroy chats if the password is administratively reset, thereby removing a convenient vector for attack or admin snooping (but not all vectors).
@qrkourier qrkourier changed the title smtp for password reset and future notifications channel password reset token May 3, 2024
@tjbck tjbck changed the title password reset token feat: one time password reset token May 3, 2024
@tjbck tjbck self-assigned this May 3, 2024
@qrkourier
Copy link
Contributor Author

I overlooked a feature that solves this for me. The user can reset their password after admin sets it.

It would be better if the admin set pw was single use, forcing the user to choose a new secret immediately, avoiding the persistence of a shared (compromised) secret.

The self service email method would still be useful for larger instances with many users.

@juliojesusvizcaino
Copy link

I'm working on a solution for email-based password recovery.

It is a draft, but it already works (if configured correctly). I haven't tested it in docker yet, later today.

It's currently in a fork, but I'd be happy to merge it upstream.

#2003

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tjbck tjbck

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@qrkourier @juliojesusvizcaino @tjbck