Flask-Login Password Reset
Base logic:
- Create reset password form with
email
field. - When user submit form then you should:
- check this email in database
- generate undistinguished crypto random secret key (next just secret key)
- store this key, current timestamp and user identifier to cache or database
- send it to user email or sms
- When user apply secret key (for example with url or special form) you should:
- validate it (exist, not expired, not used before)
- get user identifier
- delete or mark as used current secret key
- provide logic to enter/generate new password.
Logic to enter/generate password can be different:
- login user and show form to enter new password - one time login key
- show form to enter password than login if valid
- generate new password and send it to user email
- generate new secret key for form to enter new password and send it to user email
- generate new secret key to approve form, send it via sms, show form to enter new password and approval secret key then login if valid
flask-login
doesn't take care of reset password emails and other such things. Its just there to manage sessions and cookies.
You should use Flask-Security
which adds password reset functionality and other common security related features to flask. Flask-Security uses flask-login to handle sessions, but adds other features on top to round out the security features:
Email Confirmation
If desired you can require that new users confirm their email address. Flask-Security will send an email message to any new users with an confirmation link. Upon navigating to the confirmation link, the user will be automatically logged in. There is also view for resending a confirmation link to a given email if the user happens to try to use an expired token or has lost the previous email. Confirmation links can be configured to expire after a specified amount of time.
Password Reset/Recovery
Password reset and recovery is available for when a user forgets his or her password. Flask-Security sends an email to the user with a link to a view which they can reset their password. Once the password is reset they are automatically logged in and can use the new password from then on. Password reset links can be configured to expire after a specified amount of time.
User Registration
Flask-Security comes packaged with a basic user registration view. This view is very simple and new users need only supply an email address and their password. This view can be overrided[sic] if your registration process requires more fields.