Hi, We are working on 'Forgot password' functionality (as described in previous posts) and intend to make it as secure as possible. As such we try to use microflows with setting 'Apply entity access' set to True as much as possible, We noticed though that it is not possible for an anonymous user to save his new password (or retrieve a specialization of user account by name (attribute of user)) when handling the reset flow with 'Apply entity access' set to True. I do understand the reason (user entity has an access rule to read/write password only for the current user), however am curious how this should be properly handled. Setting 'Apply entity access' to False for the microflow that handles the commit of the password resolves the issue, but seems weird. One thing I do not quite get is the fact that the User entity has 1 access rule identical for Administrator and User role and restricts the update of the Password field to the current user only. However when I add the password field on a regular form (data view) that contains a specialization of the user entity, I am allowed to change the password of any user (using the standard buttons (no microflows involved). I would expect that I could only do this for my own user. Last thing, I think the forgot password functionality should be included in the standard user management module.
You are right, the microflow that resets the password must have 'Apply entity access' false.
The security of this microflow can be managed with a reset-key and a time-out. When a user asks for a password reset send him a random key (for example a generated GUID). Key must be unique and long enough to disable bruteforce guessing. Keep a list of that keys and generation datetime. When the microflow is invoked check that this key is valid and less than X hours/minutes ago generated. X can be a setting.
You may consider a lock-out mechanism based on ip. If more that 3 request from a ip-address fail, block it. But that requires a customer request handler.
Don't forget the scheduled event to clean up that resetkey list for people who only click the reset link but never actually reset their password.