Forgotten password reset functionality

For all existing web services that require user profiles, one of the unavoidable functionalities is the reset of the forgotten password. Thus, Chat App - Web Application must also provide this option for users who have forgoten their password. Another reason why this option is needed is definitely security. Somewhere it is recommendation, and somewhere is an obligation to periodically change passwords precisely in order to maintain the level of security of both the account and the application itself, ie in the general sense of the system we use.

In this case, the password reset takes place in several steps. By clicking on the link for resetting the password, the e-mail address related to the account is first entered, to which the verification code is sent. After that, it goes to the verification page, where it is necessary to enter the code that was sent by e-mail. If the codes match, the final step is to enter a new password. Only after this process the user have the option to log in to the chat.

Step 1 - entering the email address

It seems trivial, but it is necessary. For the entered e-mail address, it is first checked whether there is such an entry in the database. Only when it is determined to exist, the verification code is sent to the e-mail address and proceeds to the next step.

Step 2 - account verification

This step essentially examines whether the request for password change is desired or arose as a result of some other (unwanted) activity. The code sent to the e-mail address is compared with the code entered in the database in the same record where the e-mail address was previously stored. If they match, the value of the code from the database is reset, ie. returns to 0. A similar code is used in the registration process to determine the authenticity of an email account. We are left with the last step, and that is the change of password.

Step 3 - Entering a new password / changing the password

After the first two steps, we finally came up with a password reset form. The same password must be entered in the two password fields. This is essentially another form of logical control of user input. After a successful change, the user will be redirected to the login page, from where they will be able to access the chat again.

With the new scripts that enable this functionality, the biggest changes have been made to the verification scripts (verify.php and verify.js). They contain the whole logic around traffic control, so to speak. It distinguishes between two possible scenarios, registration and reset, and sends them to the appropriate pages accordingly. This is accomplished using variables placed in the session.

Part of the script verify.php that sustained changes

if ($otp == $row['code']) {
  $code = 0;
  if ( $_SESSION['action'] == 'activate' ) {
    $verStatus = 1;
    $status = 'Active now!';
    $sqlAccountActivation = "UPDATE users SET status = '{$status}', code = {$code}, verification_status = {$verStatus} WHERE code = {$otp} AND email = '{$_SESSION['email']}' ";
    $queryAccountActivation = mysqli_query($conn, $sqlAccountActivation);
    if ( $queryAccountActivation ) {
       $_SESSION['unique_id'] = $row['unique_id'];
       echo "success activating";
    } else {
       echo "Ups! Something went wrong with the query! Error: ". mysqli_error($conn);
    }
  } else if ( $_SESSION['action'] == 'reset' ) {
    $sqlPassReset = "UPDATE users SET code = $code WHERE email = '{$_SESSION['email']}'";
    $queryPassReset = mysqli_query( $conn, $sqlPassReset );
    if ( $queryPassReset ) {
      $_SESSION['email'] = $row['email'];
      echo "success reseting";
    } else {
      echo "Ups! Something went wrong with the reset query! Error: ". mysqli_error($conn);
    }
  } else {
    echo 'Unknown action';
  }
}

Conclusion

At the beginning of the implementation of this functionality, I thought it was a 10-minute job. I underestimated the opponent and 10 minutes lasted for several hours and two attempts :) On the first attempt, the wrong script was persistently called during the verification, so the verification did not work. Luckily, Git was there to save me. I took a step back and rewrote the necessary scripts. This time it was a bit buggy, but not nearly as bad as the first attempt. A very important lesson - Never write code in a half-awake state! So now password reset works and is part of the app!

GitHub, Cukuce (app)